CVE-2024-21604 is a high-severity vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting Juniper Networks Junos OS Evolved. This vulnerability resides in the kernel of Junos OS Evolved and allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS) condition. The root cause is the lack of proper resource allocation limits or throttling when processing a high rate of specific valid packets by the routing engine (RE). When these packets flood the RE, it leads to the exhaustion of connection tracking table resources, as indicated by kernel log messages such as "nf_conntrack: table full, dropping packet." This results in the loss of connectivity between the RE and other chassis components, causing a complete and persistent system outage. The vulnerability affects multiple versions of Junos OS Evolved, including all versions earlier than 20.4R3-S7-EVO, 21.2R1-EVO and later, and various earlier versions of 21.4-EVO through 22.4-EVO. Exploitation requires no authentication or user interaction and can be performed remotely over the network. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant threat. Mitigation can be partially achieved by deploying a carefully designed lo0 firewall filter to block or limit the specific packet types that trigger the issue. However, the ultimate resolution requires applying vendor patches once available. This vulnerability impacts the availability of critical network infrastructure components, potentially disrupting enterprise and service provider networks relying on Junos OS Evolved devices.

For European organizations, the impact of CVE-2024-21604 can be substantial, especially for those relying on Juniper Networks Junos OS Evolved in their core routing infrastructure. The Denial of Service condition can cause prolonged outages of routing engines, leading to network downtime, loss of connectivity, and disruption of critical business services. This can affect sectors such as telecommunications, finance, government, and large enterprises where network availability is paramount. Given the unauthenticated and network-based nature of the attack, threat actors could remotely target vulnerable devices without needing internal access, increasing the risk of widespread disruption. The loss of routing engine connectivity within chassis can also complicate recovery efforts, potentially requiring hardware resets or manual intervention. Additionally, the inability to process legitimate traffic during an attack can degrade network performance and availability, impacting end-users and customers. The vulnerability could also be leveraged as part of a larger attack chain to distract or degrade defenses during more sophisticated intrusions. European organizations with critical infrastructure or those subject to stringent regulatory requirements for network uptime and resilience should consider this vulnerability a high operational risk.

1. Immediate deployment of a carefully designed lo0 firewall filter on Junos OS Evolved devices to block or rate-limit the specific packet types that trigger the nf_conntrack table exhaustion. This filter should be tested in a controlled environment before production deployment to avoid unintended service disruption. 2. Monitor kernel logs for messages indicating nf_conntrack table saturation to detect potential exploitation attempts early. 3. Apply vendor-provided patches or updates as soon as they become available for the affected Junos OS Evolved versions. 4. Implement network segmentation and ingress filtering to limit exposure of vulnerable devices to untrusted networks, reducing the attack surface. 5. Regularly audit and update network device configurations to ensure adherence to security best practices and minimize unnecessary exposure of management interfaces. 6. Establish incident response procedures specific to network device DoS scenarios to enable rapid recovery and mitigation. 7. Engage with Juniper Networks support and subscribe to security advisories to stay informed about updates or additional mitigations related to this vulnerability.