A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic destined to the device to effectively bypass any firewall filtering configured on the interface.
Due to an issue with Junos OS kernel filter processing, the payload-protocol match is not being supported, causing any term containing it to accept all packets without taking any other action. In essence, these firewall filter terms were being processed as an accept for all traffic on the interface destined for the control plane, even when used in combination with other match criteria.
This issue only affects firewall filters protecting the devices control plane. Transit firewall filtering is unaffected by this vulnerability.
This issue affects Junos OS:
This is a more complete fix for previously published CVE-2024-21607 (JSA75748).
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.