---
Published: 2022
CVE ID: CVE-2022-22173
Vendor: Juniper Networks
Component: Junos OS, Public Key Infrastructure Daemon (pkid)
Severity: High
Exploitation Type: Remote (Unauthenticated)
Weakness: Missing Release of Memory after Effective Lifetime (CWE-401)
Attack Impact: Denial of Service (DoS)
1. Overview
In early 2022, a major vulnerability—CVE-2022-22173—was disclosed for Juniper Networks’ popular Junos OS. This vulnerability is rooted in a memory leak within the Public Key Infrastructure Daemon (pkid), specifically triggered when using Public Key Infrastructure (PKI) alongside Certificate Revocation Lists (CRLs).
An unauthenticated attacker can repeatedly cause the device to attempt CRL downloads (which fail), causing pkid to leak memory each time. Over time, this leads to memory exhaustion and renders affected Juniper devices inoperable, resulting in a Denial of Service (DoS).
A fix requires upgrading to non-affected versions.
21.2 < 21.2R1-S1, < 21.2R2
*If you’re running an affected version, immediate patching is highly recommended.*
3. Attack Scenario & Exploit Details
The heart of CVE-2022-22173 is quite simple: If PKI is configured to use a CRL, and the device fails to download that CRL (for example, the remote server is unreachable or returns errors), the pkid process allocates but doesn’t release memory each time.
An attacker just has to repeatedly trigger the device to fetch a CRL from an invalid or unreachable location. Each attempt leaks a bit more memory, leading the pkid process to balloon until the device crashes or becomes unusable.
You can observe the memory growth with this command on a Junos device
> show system processes extensive | match pki
# Example output over time (note pkid memory increase):
20931 root 20 733M 14352K select :00 .00% pkid # Memory use before attack
22587 root 20 901M 181M select :03 .00% pkid # After several failed CRLs
To illustrate, here's a simplified code snippet showing how a memory leak like this might occur
// Hypothetical CRL fetch routine
void fetch_and_process_crl(const char* crl_url) {
crl_t* crl_mem = malloc(sizeof(crl_t));
if (!crl_mem) return; // allocation failed
if (download_crl(crl_url, crl_mem) != SUCCESS) {
// oops! we forgot to free crl_mem here
return; // Memory leak if download fails!
}
process_crl(crl_mem);
free(crl_mem);
}
In the above pseudo-code, if download_crl() fails, crl_mem is not freed—a textbook memory leak! This seems to be the root pattern in Juniper’s pkid daemon leading to CVE-2022-22173.
show system processes extensive | match pki
- Review /var/log/messages and /var/log/pki-*.log:
Look for repeated CRL download failures.
> Tip: Set up internal alerts for unusually high pkid memory usage.
6. Exploitation in the Wild
There are no reports (as of publishing) of this being massively exploited, but the exploit is trivial. Anyone on the network—without authentication—can starve the system of memory by repeatedly causing CRL retrieval failures.
Upgrade your Junos OS!
- Fixed versions are listed in the Juniper Security Bulletin
8. References
- Juniper Security Advisory JSA69876
- NVD Entry for CVE-2022-22173
- CWE-401: Missing Release of Memory after Effective Lifetime
9. Final Thoughts
Mismanagement of memory is a classic source of security bugs—and in network edge devices, such as Junos OS routers, these can be catastrophic. CVE-2022-22173 shows how blocking or manipulating external PKI infrastructure can be turned into a devastating denial-of-service with just a few failed fetches. Time to keep a close eye on those logs and keep your Junos installations up to date.
Timeline
Published on: 01/19/2022 01:15:00 UTC
Last modified on: 02/01/2022 20:37:00 UTC