In September 2023, a Reachable Assertion Vulnerability was discovered in Juniper Networks’ Junos OS and Junos OS Evolved, referenced as CVE-2023-44175. This bug makes it possible for attackers to send specifically crafted, valid Protocol Independent Multicast (PIM) packets to a target Juniper device, causing its routing protocol daemon (rpd) to crash. If an attacker continues to send these malformed packets, they can keep your Juniper router down in a sustained Denial of Service (DoS) state.

This post breaks down how the vulnerability works, which systems are at risk, how the exploit operates, and what you can do to mitigate the risk. You’ll see code samples, references to original advisories, and practical steps—explained in simple terms.

What is CVE-2023-44175?

CVE-2023-44175 is a critical bug affecting the network routing brains of Juniper routers and switches. Specifically, it affects the routing protocol daemon (rpd), a core software component responsible for handling routing protocols. When specifically crafted—but still RFC-compliant—PIM packets are received, they may trigger an assertion failure, causing rpd to restart.

- Impact: Remote attacker can cause a targeted Juniper device to drop its routing process, leading to traffic loss, network downtime, and large-scale disruption.
- Caveat: The attacker must be able to send PIM packets to your network, and the impact is observed mainly in multi-vendor network setups (i.e., not all-Juniper networks).

Vulnerability Details

This vulnerability is due to insufficient verification of incoming PIM packets by rpd. PIM is commonly used in enterprise, ISP, and data center networks for routing multicast traffic.

When rpd processes a malicious but well-formed PIM packet (which tricks the software’s assertion checks), it hits an unrecoverable error and crashes. Repeated packets mean repeated crashes, leading to persistent network disruptions and possible service outages.

Important Note:
If all equipment in your network is Juniper, this issue does not seem to manifest. It mostly arises in mixed-vendor environments, such as during interoperability/edge cases with Cisco, Arista, etc.

Pseudo-Exploit Code Snippet

Let’s look at a Python code snippet using Scapy to generate/spray custom PIM packets:

from scapy.all import sendp, Ether, IP
from scapy.contrib.pim import PIM

# Edit these:
dst_mac = "01:00:5e:00:00:d"  # typical multicast MAC
src_mac = "aa:bb:cc:dd:ee:ff"
src_ip = "192..2.10"          # Attacker's multicast router IP
dst_ip = "224...13"          # All PIM routers
iface = "eth"                 # Interface to send packets from

pim_pkt = Ether(src=src_mac, dst=dst_mac) / \
          IP(src=src_ip, dst=dst_ip, ttl=1)/ \
          PIM(type=)          # PIM Hello (can be customized)

# Send multiple malformed Legals -- tinkering with extra options can trigger the bug
for i in range(100):
    sendp(pim_pkt, iface=iface, verbose=False)

Note: To reliably trigger the bug, the attacker must craft specific PIM options (exact details omitted here for ethical reasons).

If attacker controls a device on the network segment, they can directly inject malicious PIM packets.

You may see logs like these

rpd[XXXX]: Assertion failure at ... pim_input.c line 1234
rpd[XXXX]: Received signal 6 (Abort trap)
rpd[XXXX]: Routing protocol daemon (rpd) crash

Juniper Official Advisory

- JSA76339 - 2023-09 Out-of-Cycle Security Bulletin: Junos OS: rpd crash due to crafted PIM packets (CVE-2023-44175)

Apply patches and move to at least the minimum fixed version listed above.

2. Filter Multicast/PIM packets:

Example ACL (JunOS)

firewall {
    family inet {
        filter restrict-pim {
            term allow-pim {
                from {
                    protocol pim;
                    source-address {
                        192..2.1/32; # Only allow from your peer
                    }
                }
                then accept;
            }
            term deny-else {
                then discard;
            }
        }
    }
}
interfaces {
    ge-// {
        unit  {
            family inet {
                filter {
                    input restrict-pim;
                }
            }
        }
    }
}

---

Conclusion

CVE-2023-44175 is a good example of how even standards-compliant packets can still trigger catastrophic bugs in network equipment. With more hybrid and multi-vendor networks, these kind of vulnerabilities will keep popping up.

References

- Juniper Security Advisory JSA76339
- NVD: CVE-2023-44175
- Scapy: PIM Packet Documentation
- What is Multicast Routing? (Cisco)

Timeline

Published on: 10/12/2023 23:15:11 UTC
Last modified on: 10/19/2023 17:47:15 UTC