CVE-2024-21587 is a vulnerability in Juniper Networks Junos OS specifically affecting the MX Series routers. The flaw resides in the broadband edge subscriber management daemon (bbe-smgd), which is responsible for managing DHCP subscriber sessions. When Bidirectional Forwarding Detection (BFD) liveness detection for DHCP subscribers is enabled, an attacker who has direct network access to the vulnerable system can repeatedly flap DHCP subscriber sessions. This action causes a slow memory leak within the bbe-smgd process. Over time, the leaked memory accumulates, leading to memory starvation and ultimately causing a Denial of Service (DoS) condition. The memory leak is subtle and incremental, observable by monitoring the memory usage of bbe-smgd via the 'show system processes extensive' command, which will show a gradual increase in memory allocation. The leaked memory is only recoverable by manually restarting the bbe-smgd daemon, which disrupts subscriber management services. This vulnerability affects multiple versions of Junos OS prior to specific patched releases across versions 20.4 through 23.2. The CVSS v3.1 base score is 6.5 (medium severity), reflecting that the attack vector is adjacent network (AV:A), requires no privileges (PR:N), no user interaction (UI:N), and impacts availability (A:H) without affecting confidentiality or integrity. No known exploits are currently reported in the wild. The vulnerability is categorized under CWE-755, indicating improper handling of exceptional conditions, specifically related to resource management in the daemon.

For European organizations, especially those relying on Juniper MX Series routers for broadband edge subscriber management, this vulnerability poses a risk of service disruption. The slow memory leak can degrade router performance over time, leading to denial of service conditions that interrupt DHCP subscriber session management. This can affect ISPs, telecommunications providers, and enterprises with large subscriber bases or critical network infrastructure. The impact includes potential loss of connectivity for end-users, degraded network reliability, and operational overhead due to the need for manual intervention to restart the affected daemon. Given that the attack requires adjacency (direct network access) and the presence of BFD liveness detection enabled for DHCP subscribers, the threat is more pronounced in environments where these configurations are common. Disruptions in broadband edge services can have cascading effects on business operations, customer satisfaction, and regulatory compliance, particularly in sectors with stringent uptime requirements such as finance, healthcare, and public services.

1. Immediate mitigation involves disabling BFD liveness detection for DHCP subscribers if feasible, as systems without BFD enabled are not vulnerable. 2. Apply the latest Junos OS patches from Juniper Networks that address this vulnerability. Ensure all MX Series routers are updated to versions at or beyond the fixed releases (e.g., 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, etc.). 3. Implement network segmentation and access controls to limit adjacency access to the MX Series routers, reducing the attack surface. 4. Monitor the memory usage of the bbe-smgd process regularly using 'show system processes extensive' to detect early signs of memory leaks. 5. Automate alerts for abnormal memory growth in bbe-smgd to enable proactive response before service degradation occurs. 6. Prepare operational procedures for rapid restart of the bbe-smgd daemon to restore service if memory exhaustion is detected. 7. Conduct configuration reviews to ensure that only necessary features are enabled and that BFD liveness detection is used judiciously. 8. Engage with Juniper support for guidance and to verify patch applicability in complex network environments.