Juniper Networks Junos OS and Junos OS Evolved Chassis Daemon Use-After-Free Vulnerability Leading to Denial-of-Service

A use-after-free vulnerability has been identified in the chassis daemon (chassisd) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows a network-based attacker with low privileges to cause a denial-of-service (DoS) condition. The issue arises when telemetry collectors frequently subscribe and unsubscribe to sensors over an extended period, causing telemetry-capable processes like chassisd, rpd, or mib2d to crash and restart. Depending on the process, this can lead to a complete outage until the system recovers. The vulnerability affects all versions of Junos OS prior to 22.4R3-S8, as well as 23.2 versions before 23.2R2-S5 and 23.4 versions prior to 23.4R2. In Junos OS Evolved, all versions before 22.4R3-S8-EVO, 23.2 versions prior to 23.2R2-S5-EVO, and 23.4 versions before 23.4R2-EVO are affected. Devices must have GRPC services configured to be exposed to this vulnerability.

Impact

Exploitation of this vulnerability causes the chassisd or rpd processes to crash, leading to a denial-of-service condition. This can result in a complete outage, depending on the affected process, until the system has recovered.

Remediation

Users can upgrade to Junos OS Evolved versions 22.4R3-S8-EVO, 23.2R2-S5-EVO, 23.4R2-EVO, 24.2R1-EVO, or any subsequent releases. For Junos OS, versions 22.4R3-S8, 23.2R2-S5, 23.4R2, 24.2R1, and all subsequent releases are recommended.