In certain conditions an OSPF packet can be sent with a malformed OSPF Type-Length-Value (TLV) value. When a PPMD daemon receives such an OSPF packet, it attempts to parse the field, resulting in a memory leak. The memory leak eventually results in an infinite loop. In addition to the DoS condition, this issue also results in issues with protocol optimization. The PPMD daemon attempts to parse the OSPF packet, but due to the memory leak, the daemon eventually crashes. This results in significant performance issues as the PPMD daemon processes a large number of OSPF packets during each startup. This issue is present in all versions of Junos OS and Junos OS Evolved prior to 20.4R3-S3, including the following releases: - 15.1R1 - 15.1R2 - 15.1R3 - 16.1 - 16.1M1 - 16.1M2 - 16.1M3 - 16.1M4 - 16.2 - 16.2M1 - 16.2M2 - 16.2M3 - 16.2M4 - 17.1 - 17.1R1 - 17.1R2 - 17.1R3 - 17.2 - 17.2R1 - 17.2R2 - 17.2R3 - 18.1 - 18.1R1 - 18.1
Buggy Configuration
The bug is caused by the use of an invalid TLV value in OSPF packets. The PPMD daemon attempts to parse the invalid TLV, which causes the memory leak and subsequent infinite loop.
Description of the Issue
CVE-2022-22224 is a memory leak issue that can occur in Junos OS and Junos OS Evolved prior to 20.4R3-S3. When a PPMD daemon processes an OSPF packet with a malformed TLV field, this issue results in a crash of the daemon. This issue is present in all versions of Junos OS and Junos OS Evolved prior to 20.4R3-S3, including the following releases: - 15.1R1 - 15.1R2 - 15.1R3 - 16.1 - 16.1M1 - 16.1M2 - 16.1M3 - 16.1M4 - 16.2 - 16.2M1 - 16.2M2 - 16.2M3 - 16.2M4
How can I check if I am affected?
You can verify if your device is affected by checking the show ip ospf interface statistics command output. If you see a pattern of memory usage, or if your device's memory utilization goes up significantly, you may be affected. Your device may also produce an error message similar to the following in the log when it receives the malformed packet:
Jun 7 07:28:56 rpmpd-1-1/0/2/3 %PLATFORM-6-PPMD_OSPF_RESOLVE_FAIL: OSPF not resolved - no adjacencies
Jun 7 07:29:05 rpmpd-1-1/0/2/3 %PLATFORM-6-PPMD_OSPF_RESOLVE_FAIL: OSPF not resolved - no adjacencies
Jun 7 07:29:11 rpmpd-1-1/0/2/3 %PLATFORM-6-PPMD_OSPF_RESOLVE_FAIL: OSPF not resolved - no adjacencies
Limitations
The PPMD daemon is not affected by this issue.
This issue has been fixed in the following releases: - 15.1R3 - 16.2M5
How do I enable SIGDump on my router?
To enable SIGDump on a Junos OS router, use the following commands:
Router# set security dump-options ?
Timeline
Published on: 10/18/2022 03:15:00 UTC