All versions of Juniper Networks Junos OS on EX Series: All versions prior to 14.1X53-D60; 14.2 versions prior to 14.2X53-D70, 14.3 versions prior to 14.3X53-D50; 15.1 versions prior to 15.1X53-D50; 15.2 versions prior to 15.2X53-D80.
All versions of Juniper Networks Junos OS on MX Series with SPC5: All versions prior to 18.3R3.
All versions of Juniper Networks Junos OS on MX Series with SPC6: All versions prior to 16.2R1.
All versions of Juniper Networks Junos OS on MX Series with SPC7: All versions prior to 17.3R1.
All versions of Juniper Networks Junos OS on MX Series with SPC8: All versions prior to 18.4R1.
Unauthenticated network attackers can exploit this vulnerability to inject crafted messages into the flowd process that causes latency in packet processing or even packet drop.
An attacker can send crafted messages using a control plane protocol such as ICMP, IP, or MPLS to flowd process at the firewall to cause latency in packet processing or even packet drop.
To exploit this vulnerability, an attacker must be connected to the network via a host with a Juniper Networks Junos OS installed.
Vulnerable Packet Types and Where They Are Passed Through
- ICMP: Packets sent to flowd process through the control plane from a host with Junos OS installed.
- IP: Packets originated from the firewall on netflowd server and passed through the control plane.
- MPLS: Packets originated from the firewall on netflowd server and passed through the control plane.
Products Affected
All versions of Juniper Networks Junos OS on EX Series: All versions prior to 14.1X53-D60; 14.2 versions prior to 14.2X53-D70, 14.3 versions prior to 14.3X53-D50; 15.1 versions prior to 15.1X53-D50; 15.2 versions prior to 15.2X53-D80
All versions of Juniper Networks Junos OS on MX Series with SPC5: All versions prior to 18.3R3
All versions of Juniper Networks Junos OS on MX Series with SPC6: All versions prior to 16.2R1
All versions of Juniper Networks Junos OS on MX Series with SPC7: All versions prior to 17.3R1
All versions of Juniper Networks Junos OS on MX Series with SPC8: All version
Vulnerable Packet Processing Behavior
An attacker can send crafted messages using a control plane protocol such as ICMP, IP, or MPLS to flowd process at the firewall to cause latency in packet processing or even packet drop.
When an unauthenticated network attacker sends a crafted message to flowd process at the firewall, it causes latency in packet processing or even packet drop. The specific behavior of this vulnerability is as follows:
- If the target host does not have a CPU affinity set for packets with TTL equal to 128 bytes or less and the target host does not have any other queuing rules configured, then that packet is dropped.
- If the target host has a CPU affinity set for packets with TTL equal to 128 bytes or less and there are no other queuing rules configured, then that packet is dropped after 128 bytes have been transmitted in one direction.
It is possible for this vulnerability to be exploited when Junos OS is running on EX Series devices prior to 14.1X53-D60; 14.2 versions prior to 14.2X53-D70; 14.3 versions prior to 14.3X53-D50; 15.1 versions prior to 15.1X53-D50; 15.2 versions prior to 15.2X53-D80; 18 SP C6 MX SPC6 devices running 16SR1 and 17 SR1 devices running 17 SR1 device builds .
Symptoms of Juniper Networks Flowd Vulnerability
- Juniper Networks flowd process is not processing packets as quickly
- Packets are dropped in the firewall or in an adjacent device
- Packets are dropped at a firewall router
- Packets may be delayed and/or be processed out of order
Timeline
Published on: 01/19/2022 01:15:00 UTC
Last modified on: 01/28/2022 17:55:00 UTC