In early 2022, a critical vulnerability was discovered in Juniper Networks' Junos OS that threatened the reliability of enterprise firewalls and routers. Identified as CVE-2022-22198, this flaw allows a remote, unauthenticated attacker to crash affected networking hardware—and because of how it works, attackers could keep the system offline indefinitely by simply repeating the exploit.
This article explains how CVE-2022-22198 works, shows example packet content, provides reference links, and explores mitigation steps in plain English—so anyone responsible for Juniper devices can understand what’s at risk, and what to do next.
What is CVE-2022-22198?
CVE-2022-22198 is an "Access of Uninitialized Pointer" vulnerability in the SIP Application Layer Gateway (ALG) module of Juniper Networks Junos OS—commonly used on MX and SRX routers/firewalls.
If the SIP ALG feature is enabled, a remote attacker can crash the network services module (SPC, MS-MIC, or MS-MPC) by sending a specially crafted SIP message containing a malformed Contact header. Each time Junos receives one of these bad messages, the service module crashes. If the attacker repeatedly sends such packets, they can create a persistent Denial of Service (DoS).
NOT affected: Versions prior to 20.4R1
Critical: This vulnerability is pre-auth, meaning anyone on the network—or even across the internet if the device is exposed—can use it without a password.
How Does the Exploit Work?
The SIP ALG is designed to help VoIP traffic traverse NAT/firewall by rewriting SIP headers. Unfortunately, if SIP packets with a certain malformed Contact headers are received, Junos can reference a pointer that was never initialized (think: trying to use something that doesn't exist), causing the processing module to crash.
Side Effect:
Any dependent processes or services may be interrupted until the crashed module restarts. If the attack is repeated, the module may never fully recover, causing a continuous outage.
Example SIP Packet That Triggers the Bug
INVITE sip:user@domain.com SIP/2.
Via: SIP/2./UDP 192..2.1:506;branch=z9hG4bK776asdhds
Max-Forwards: 70
From: "Caller" <sip:caller@domain.com>;tag=1928301774
To: <sip:user@domain.com>
Call-ID: a84b4c76e66710
CSeq: 314159 INVITE
Contact: <sip:malicious_header>
Content-Length:
The key point: The Contact header is malformed (could be empty, excessively long, or with odd encoded characters), crafted to trip up SIP ALG’s parser and make it reference an uninitialized memory region.
Below is a simplified pseudocode representation of the failure point
// Hypothetical vulnerable SIP ALG code block (simplified)
struct ContactHeader *contact = NULL;
if (parse_contact_header(packet, &contact)) {
// process contact header
do_something(contact->address); // Vulnerable: 'contact' may not be initialized!
}
If parse_contact_header fails in certain, unexpected ways due to malicious input, contact is never set, but code after still tries to use it—causing a crash.
Interrupts VoIP and other critical traffic.
- Crashes are repeatable: as soon as the module restarts, another crafted packet can crash it again.
You are especially at risk if all these are true
- You use Juniper MX or SRX devices with Junos OS 20.4, 21.1, or 21.2 within the vulnerable versions.
21.2: Upgrade to at least 21.2R2
> Official Juniper Security Bulletin:
> https://supportportal.juniper.net/JSA11276
Disable SIP ALG if you don’t require it.
commit
`
- Limit SIP exposure: Ensure SIP traffic is not accepted from untrusted sources or globally unfiltered.
3. Monitor Your Devices:
- Watch for unexpected crashes or restarts of MPC, MIC, or SPC modules.
- Set up alerts so you know immediately if a module crashes.
---
## References
- Juniper Security Advisory JSA11276
- NIST NVD Entry for CVE-2022-22198
- Juniper Junos Documentation – SIP ALG
- CISA Alert
---
## Final Thoughts
CVE-2022-22198 shows how a simple parsing bug in a rarely-used protocol handler can cripple major network infrastructure—even from a distance, and without a password. If you run Juniper MX or SRX platforms and use (or even just accept) SIP traffic, act fast: upgrade to the fixed Junos versions, or at least disable SIP ALG until you can do so.
Regularly review which ALGs you truly need—they open up deeper protocol inspection, but come with increased risk if neglected. Keep firmware up to date, and always monitor security advisories from your vendors.
Stay safe, keep patches applied, and never underestimate the power of a rogue packet.
---
*Author: [YourNameHere]*
*This article is exclusive content—please link back if you share excerpts.*
---
Timeline
Published on: 04/14/2022 16:15:00 UTC
Last modified on: 04/23/2022 02:26:00 UTC