Juniper Networks Junos OS and Junos OS Evolved 802.1X Authentication Daemon Use-After-Free Vulnerability Allowing Denial-of-Service and Potential Arbitrary Code Execution

A use-after-free vulnerability has been identified in the 802.1X authentication daemon (dot1xd) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability could allow an authenticated, network-adjacent attacker to cause a denial-of-service by crashing the dot1xd process, or potentially execute arbitrary code within the context of the process running as root. The issue arises when a change in authorization (CoA) is processed during a port bounce, leading to a pointer being freed and then referenced again later in the same code path. Successful exploitation requires precise timing of these events, making it difficult to control.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition by crashing the dot1xd process, or allow for arbitrary code execution with root privileges, within the context of the affected process.

Remediation

Users can upgrade to Junos OS versions 23.2R2-S5, 23.4R2-S6, 24.2R2-S3, 24.4R2-S1, 25.2R1-S2, 25.2R2, 25.4R1, and all subsequent releases. For Junos OS Evolved, the updated versions are 23.2R2-S5-EVO, 23.4R2-S6-EVO, 24.2R2-S3-EVO, 24.4R2-S1-EVO, 25.2R1-S2-EVO, 25.2R2-EVO, 25.4R1-EVO.