CVE-2022-22231 - Unchecked NULL Pointer in Junos OS—How a Simple Crash Can Bring Down Your SRX Firewall

CVE-2022-22231 is a significant vulnerability in Juniper Networks' Junos OS, especially for anyone using the SRX Series Firewalls. The flaw involves an unchecked return value leading to a NULL pointer dereference in the Packet Forwarding Engine (PFE). In simple terms, if the firewall is processing certain types of valid traffic while both Enhanced Content Filtering (CF) and AntiVirus (AV) options are turned on, an attacker can remotely crash the networking engine. The result: a potential Denial of Service (DoS) and loss of network availability.

This long read breaks down the CVE, walks through the attack, and explores the code context and mitigation. Let’s get into the details.

Background: What’s Being Targeted?

- Product: Juniper Networks Junos OS, only versions 21.4 prior to 21.4R1-S2, and 21.4R2 on SRX Series.

Impact: Remote DoS via network traffic causes PFE crash and restart.

Not affected: Junos OS before 21.4R1, or systems with only either CF or AV enabled (not both).

How the Attack Works

Attackers don’t need credentials or fancy malware—they just need to send specific "valid" network traffic that triggers the firewall's UTM (Unified Threat Management) components to work together. Due to a bug, the code sometimes tries to use a resource (such as a pointer) that was never properly checked or initialized. This causes the software to crash.

Junos OS, with both Enhanced CF + AV, inspects it.

3. Due to a missed check, the software tries to access memory that’s not there (NULL pointer dereference).
4. The PFE crashes abruptly and restarts, taking network connectivity with it—resulting in Denial of Service.

Vulnerable Code Logic (Simplified Example)

While Juniper does not disclose source code, we can illustrate the root cause with pseudocode, emphasizing the standard mistake:

/* Example: The bad pattern (unchecked pointer) */
void process_packet(Packet *pkt) {
    FilterResult *cf_result = enhanced_content_filter(pkt);
    AntivirusResult *av_result = antivirus_scan(pkt);
    // Vulnerability: cf_result or av_result might be NULL!
    log_cf_info(cf_result->info);
    log_av_info(av_result->threat_level);
}

Problem: If enhanced_content_filter or antivirus_scan fails and returns NULL, the code tries to access members from a NULL pointer, causing an immediate crash.

A secure version should do this

if (cf_result != NULL)
    log_cf_info(cf_result->info);
else
    handle_filter_error();

if (av_result != NULL)
    log_av_info(av_result->threat_level);
else
    handle_antivirus_error();

Step 2: Checks that both Enhanced CF and AV are enabled.

- Step 3: Sends crafted—but valid—network traffic (often, this means sending files or data types that trigger both CF and AV scanning).

Repeat: Attack can be automated for persistent DoS.

Result: Each time the bug is triggered, network traffic is disrupted until the PFE restarts and resumes forwarding.

Proof-of-Concept Traffic Example

Although full exploit code is not public for security reasons, a basic method to trigger the bug looks like this (in Python-style pseudocode):

# Send normal-looking HTTP/SMTP/FTP traffic known to trigger content and antivirus scanning
import socket

def send_exploit_packet(target_ip, target_port, malicious_payload):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((target_ip, target_port))
    s.sendall(malicious_payload)
    s.close()
    
payload = b"GET /infected.exe HTTP/1.1\r\nHost: target\r\n\r\n"

send_exploit_packet("192..2.1", 80, payload)

You’d need to vary the payload content to what will trigger *both* AV and CF engines—think files matching AV signatures *and* content filters.

21.4R2 and later

Official Advisory:  
Juniper Security Advisory JSA69811

Upgrade: If you run Junos OS on SRX, update beyond the affected versions.

2. Temporary Workaround: Disable either Enhanced Content Filtering or Antivirus (don’t use both together until patching).

References

- CVE-2022-22231 on NIST NVD
- Juniper Advisory JSA69811
- Juniper Junos OS Security Advisories

Conclusion

CVE-2022-22231 is a classic example of how a small coding oversight—a missing NULL check—opens the door to big disruptions, even in enterprise-grade firewalls. Attackers can bring down your firewall with just valid network packets, no auth required. The fix is out, so if you’re running an SRX with UTM, patch now or disable either Enhanced CF or AV to stay safe.

Stay updated, stay secure.

*This analysis is written exclusively for you based on public and technical sources. For questions or deeper technical breakdown, visit the Juniper Knowledge Base.*

Timeline

Published on: 10/18/2022 03:15:00 UTC