CVE-2022-22157: Traffic Classification Vulnerability in Juniper Networks Junos OS on SRX Series Services Gateways

A traffic classification vulnerability has been identified in the Juniper Networks Junos OS on the SRX Series Services Gateways, specifically in the Juniper Deep Packet Inspection (JDPI) functionality. The vulnerability, assigned as CVE-2022-22157, occurs when the 'no-syn-check' setting is enabled on the device; it potentially allows an attacker to bypass JDPI rules and access unauthorized networks or resources. In this long-read post, we will provide an overview of the vulnerability, including code snippets, links to original references, and details about exploitation. The aim is to give a comprehensive understanding of the potential risks associated with this vulnerability and emphasize the importance of updating to the latest, patched software version.

Vulnerability Details

JDPI is designed to provide advanced traffic classification capabilities for network security devices, like firewalls. However, in affected Junos OS versions, JDPI incorrectly classifies out-of-state asymmetric TCP flows as the dynamic-application INCONCLUSIVE instead of UNKNOWN. As a result, the firewall allows traffic to be forwarded that should have been denied. The issue arises only when the 'set security flow tcp-session no-syn-check' configuration is set on the device.

21.1 versions prior to 21.1R1-S1, 21.1R2

Juniper Networks Junos OS versions prior to 18.4R1 are not affected by this vulnerability.

When the 'no-syn-check' setting is enabled on the device, the following configuration is present

set security flow tcp-session no-syn-check

Exploitation Details

An attacker could exploit this vulnerability by creating out-of-state asymmetric TCP flows with the intention to bypass the JDPI rules. The misclassification of these flows performed by the JDPI feature/rules would allow the attacker to gain unauthorized access to the network or resources protected by the firewall, potentially leading to further security breaches.

21.1R1-S1, 21.1R2

Additionally, users should disable the 'no-syn-check' setting if it is not required for their network operation, as this issue only surfaces when the 'no-syn-check' configuration is present.

For further information on this vulnerability, refer to the following sources

- Juniper Networks Security Advisory: [https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11329]
- CVE Details: [https://nvd.nist.gov/vuln/detail/CVE-2022-22157]

Conclusion

The CVE-2022-22157 vulnerability highlights the importance of maintaining up-to-date software on network security devices, as outdated software may contain critical vulnerabilities that can be exploited by attackers. By updating to the latest, patched Junos OS versions, users can ensure their devices are shielded from this particular vulnerability, thereby maintaining the integrity and security of their networks.

Timeline

Published on: 01/19/2022 01:15:00 UTC
Last modified on: 01/28/2022 20:00:00 UTC