{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-21616","assignerOrgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","state":"PUBLISHED","assignerShortName":"juniper","dateReserved":"2023-12-27T19:38:25.710Z","datePublished":"2024-01-12T00:56:20.566Z","dateUpdated":"2025-06-17T14:43:11.964Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["MX Series","SRX Series"],"product":"Junos OS","vendor":"Juniper Networks","versions":[{"lessThan":"21.2R3-S6","status":"affected","version":"0","versionType":"semver"},{"lessThan":"21.3R3-S5","status":"affected","version":"21.3","versionType":"semver"},{"lessThan":"21.4R3-S5","status":"affected","version":"21.4","versionType":"semver"},{"lessThan":"22.1R3-S4","status":"affected","version":"22.1","versionType":"semver"},{"lessThan":"22.2R3-S3","status":"affected","version":"22.2","versionType":"semver"},{"lessThan":"22.3R3-S1","status":"affected","version":"22.3","versionType":"semver"},{"lessThan":"22.4R2-S2, 22.4R3","status":"affected","version":"22.4","versionType":"semver"},{"lessThan":"23.2R1-S1, 23.2R2","status":"affected","version":"23.2","versionType":"semver"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>To be affected the SIP ALG needs to be enabled, either implicitly / by default or by way of configuration.</p><p>Please verify on SRX with:</p><code>  user@host&gt; show security alg status | match sip</code><br/><code>  SIP : Enabled</code><br/><p>Please verify on MX whether the following is configured:</p><code>  user@host&gt; show security alg status | match sip</code><br/><code>  SIP : Enabled</code><br/><code>  [services ... rule &lt;rule-name&gt; (term &lt;term-name&gt; ) from/match application/application-set &lt;name&gt;]</code><br/><p>where either</p><code>  a. name = junos-sip</code><br/><p>or an application or application-set refers to SIP:</p><code>  b. [applications application &lt;name&gt; application-protocol sip]</code><br/><p>or</p><code>  c. [applications application-set &lt;name&gt; application junos-sip]</code><br/>"}],"value":"To be affected the SIP ALG needs to be enabled, either implicitly / by default or by way of configuration.\n\nPlease verify on SRX with:\n\n  user@host> show security alg status | match sip\n  SIP : Enabled\nPlease verify on MX whether the following is configured:\n\n  user@host> show security alg status | match sip\n  SIP : Enabled\n  [services ... rule <rule-name> (term <term-name> ) from/match application/application-set <name>]\nwhere either\n\n  a. name = junos-sip\nor an application or application-set refers to SIP:\n\n  b. [applications application <name> application-protocol sip]\nor\n\n  c. [applications application-set <name> application junos-sip]\n"}],"datePublic":"2024-01-10T17:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\n<p>An Improper Validation of Syntactic Correctness of Input vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).</p><p>On all Junos OS MX Series and SRX Series platforms, when SIP ALG is enabled, and a specific SIP packet is received and processed, NAT IP allocation fails for genuine traffic, which causes Denial of Service (DoS). Continuous receipt of this specific SIP ALG packet will cause a sustained DoS condition.</p><p>NAT IP usage can be monitored by running the following command.</p><code>user@srx&gt; show security nat resource-usage source-pool &lt;source_pool_name&gt;</code><br><p></p><code>Pool name: source_pool_name</code><br><code>..</code><br><code>Address Factor-index Port-range Used Avail Total Usage</code><br><code>X.X.X.X</code><br><code>0 Single Ports 50258 52342 62464 96% &lt;&lt;&lt;&lt;&lt;</code><br><code>- Alg Ports 0 2048 2048 0%</code><br><p>This issue affects:</p><p>Juniper Networks Junos OS on MX Series and SRX Series</p><p></p><ul><li>All versions earlier than 21.2R3-S6;</li><li>21.3 versions earlier than 21.3R3-S5;</li><li>21.4 versions earlier than 21.4R3-S5;</li><li>22.1 versions earlier than 22.1R3-S4;</li><li>22.2 versions earlier than 22.2R3-S3;</li><li>22.3 versions earlier than 22.3R3-S1;</li><li>22.4 versions earlier than 22.4R2-S2, 22.4R3;</li><li>23.2 versions earlier than 23.2R1-S1, 23.2R2.</li></ul><p></p>\n\n"}],"value":"\nAn Improper Validation of Syntactic Correctness of Input vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).\n\nOn all Junos OS MX Series and SRX Series platforms, when SIP ALG is enabled, and a specific SIP packet is received and processed, NAT IP allocation fails for genuine traffic, which causes Denial of Service (DoS). Continuous receipt of this specific SIP ALG packet will cause a sustained DoS condition.\n\nNAT IP usage can be monitored by running the following command.\n\nuser@srx> show security nat resource-usage source-pool <source_pool_name>\n\n\nPool name: source_pool_name\n..\nAddress Factor-index Port-range Used Avail Total Usage\nX.X.X.X\n0 Single Ports 50258 52342 62464 96% <<<<<\n- Alg Ports 0 2048 2048 0%\nThis issue affects:\n\nJuniper Networks Junos OS on MX Series and SRX Series\n\n\n\n  *  All versions earlier than 21.2R3-S6;\n  *  21.3 versions earlier than 21.3R3-S5;\n  *  21.4 versions earlier than 21.4R3-S5;\n  *  22.1 versions earlier than 22.1R3-S4;\n  *  22.2 versions earlier than 22.2R3-S3;\n  *  22.3 versions earlier than 22.3R3-S1;\n  *  22.4 versions earlier than 22.4R2-S2, 22.4R3;\n  *  23.2 versions earlier than 23.2R1-S1, 23.2R2.\n\n\n\n\n\n\n"}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>Juniper SIRT is not aware of any malicious exploitation of this vulnerability.</p>"}],"value":"Juniper SIRT is not aware of any malicious exploitation of this vulnerability.\n\n"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1286","description":"CWE-1286: Improper Validation of Syntactic Correctness of Input","lang":"en","type":"CWE"}]},{"descriptions":[{"description":"Denial of Service (DoS)","lang":"en"}]}],"providerMetadata":{"orgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","shortName":"juniper","dateUpdated":"2024-01-12T00:56:20.566Z"},"references":[{"tags":["vendor-advisory"],"url":"https://supportportal.juniper.net/JSA75757"},{"tags":["technical-description"],"url":"https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>The following software releases have been updated to resolve this specific issue: Junos OS 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S1, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases.</p>"}],"value":"The following software releases have been updated to resolve this specific issue: Junos OS 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S1, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases.\n\n"}],"source":{"advisory":"JSA75757","defect":["1702811"],"discovery":"USER"},"timeline":[{"lang":"en","time":"2024-01-10T17:00:00.000Z","value":"Initial Publication"}],"title":"Junos OS: MX Series and SRX Series: Processing of a specific SIP packet causes NAT IP allocation to fail","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>There are no known workarounds for this issue, but it should be considered to disable the SIP ALG if it's not strictly needed.</p>"}],"value":"There are no known workarounds for this issue, but it should be considered to disable the SIP ALG if it's not strictly needed.\n\n"}],"x_generator":{"engine":"Vulnogram 0.1.0-av217"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-01T22:27:35.547Z"},"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_transferred"],"url":"https://supportportal.juniper.net/JSA75757"},{"tags":["technical-description","x_transferred"],"url":"https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]},{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-02-08T20:39:11.105269Z","id":"CVE-2024-21616","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-06-17T14:43:11.964Z"}}]}}