When seconds count in cybersecurity, Juniper Networks has answered the call. The company has promptly released an emergency patch for a major authentication bypass vulnerability, CVE-2024-2973, which carries the highest CVSS score of 10, signifying its severity.
The vulnerability affects Juniper Networks’ Session Smart Router, Session Smart Conductor, and WAN Assurance Router. If left unpatched, it could allow a malicious actor to gain full control over an affected device. The company’s advisory specifies that only routers or conductors running in high-availability redundant configurations are at risk.
Discovered during routine internal security testing, Juniper has assured customers that there is no evidence of this bug being exploited in the wild. The company strongly advises immediate updates to specific versions: Session Smart Routers SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases.
For deployments managed by a Conductor node, updating the Conductor alone is sufficient to protect all connected routers. Although Juniper recommends upgrading the routers themselves as a best practice, they will not be vulnerable once linked to an updated Conductor.
Juniper has also emphasized that the fix is non-disruptive to production traffic. While users might experience a brief downtime of less than 30 seconds for web-based management and APIs, the data plane router functions remain unaffected, ensuring minimal impact on network operations.
This proactive measure by Juniper highlights the importance of timely updates in maintaining network security and protecting against potential threats.
