CVE-2022-22227 The Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved has an Improper Check for Unusual or Exceptional Conditions vulnerability that allows a network-based attacker to cause a DoS.

and 21.5-EVO versions prior to 21.5R1-S1-EVO. This issue affects all operating system releases. The following applies to this issue. If you are running any of the above releases and receive a packet with a destination IPv6 address of 2001::1 or 2001:db8::1, the RE will respond with an ICMPv6 Redirect message to the original source address and forward the packet to the Routing Engine (RE). If the RE receives an ICMPv6 Redirect message, it will respond with an ICMPv6 Redirect message to the original source address. As a result, the RE will forward the packet to the RE. This issue has been observed with the following conditions:

- IPv6 transit traffic with a specific source and destination address. - IPv6 transit traffic with a specific ICMPv6 Type. - IPv6 transit traffic with a specific ICMPv6 Code.
An attacker can send a crafted IPv6 Transit packet to the target system with a specific ICMPv6 Type value of Code 5, Code 18, Code 1, Code 4, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code

Affected RE versions 21.5-EVO and earlier

21.5-EVO versions prior to 21.5R1-S1-EVO. This issue affects all operating system releases.
The following applies to this issue. If you are running any of the above releases and receive a packet with a destination IPv6 address of 2001::1 or 2001:db8::1, the RE will respond with an ICMPv6 Redirect message to the original source address and forward the packet to the Routing Engine (RE). If the RE receives an ICMPv6 Redirect message, it will respond with an ICMPv6 Redirect message to the original source address. As a result, the RE will forward the packet to the RE. This issue has been observed with the following conditions:
- IPv6 transit traffic with a specific source and destination address. - IPv6 transit traffic with a specific ICMPv6 Type. - IPv6 transit traffic with a specific ICMPv6 Code.
An attacker can send a crafted IPv6 Transit packet to the target system with a specific ICMPv6 Type value of Code 5, Code 18, Code 1, Code 4, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 2 or 3.

Conditions for the RE to Respond with an ICMPv6 Redirect message

The following conditions must be met for the RE to respond with an ICMPv6 Redirect message:
- IPv6 transit traffic with a specific ICMPv6 Type value of Code 5, Code 18, Code 1, Code 4, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, Code 1, and all other types of ICMPv6 Types. - IPv6 transit traffic with a specific destination IPv6 address. - The RE must receive an ICMPv6 Redirect message from the destination system.
- The RE must receive an ICMPv6 Redirect message from the destination system.

Affected RE Software Versions

All versions of the RE software release prior to 21.5R1-S1-EVO on 22227 and all 21.5-EVO versions prior to 21.5R1-S1-EVO on 202227 are affected.

Timeline

Published on: 10/18/2022 03:15:00 UTC

References

• https://kb.juniper.net/JSA69878
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22227