CVE-2017-2302 in Junos
Summary
by MITRE
On Juniper Networks products or platforms running Junos OS 12.1X46 prior to 12.1X46-D55, 12.1X47 prior to 12.1X47-D45, 12.3R13 prior to 12.3R13, 12.3X48 prior to 12.3X48-D35, 13.3 prior to 13.3R10, 14.1 prior to 14.1R8, 14.1X53 prior to 14.1X53-D40, 14.1X55 prior to 14.1X55-D35, 14.2 prior to 14.2R6, 15.1 prior to 15.1F2 or 15.1R1, 15.1X49 prior to 15.1X49-D20 where the BGP add-path feature is enabled with 'send' option or with both 'send' and 'receive' options, a network based attacker can cause the Junos OS rpd daemon to crash and restart. Repeated crashes of the rpd daemon can result in an extended denial of service condition.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/04/2020
The vulnerability identified as CVE-2017-2302 affects Juniper Networks devices running specific versions of Junos OS where the Border Gateway Protocol add-path feature is configured with send or both send and receive options. This represents a critical reliability issue that can be exploited by remote attackers to disrupt network operations through deliberate daemon crashes. The affected versions span multiple release branches including 12.1X46, 12.1X47, 12.3R13, 12.3X48, 13.3, 14.1, 14.1X53, 14.1X55, 14.2, 15.1, and 15.1X49, indicating a widespread impact across Juniper's product portfolio. The vulnerability specifically targets the routing process daemon rpd which is responsible for processing and maintaining routing information within the network infrastructure.
The technical flaw manifests when an attacker exploits the BGP add-path functionality to send malformed or specially crafted BGP messages that trigger a buffer overflow or memory corruption within the rpd daemon. This occurs during the processing of BGP update messages that contain add-path information, particularly when the send option is enabled or when both send and receive options are configured simultaneously. The vulnerability stems from insufficient input validation and memory management within the routing daemon's handling of BGP add-path attributes, creating a condition where malicious input can cause the daemon to crash and restart automatically. This behavior aligns with CWE-121, which describes heap-based buffer overflow conditions that can lead to arbitrary code execution or denial of service scenarios.
The operational impact of this vulnerability extends beyond simple daemon restarts to create sustained denial of service conditions that can severely impact network availability and stability. When the rpd daemon repeatedly crashes and restarts, it disrupts the routing process and can cause temporary network outages as the system re-establishes routing tables and connections. Network administrators may experience significant disruption as routing protocols attempt to recover from the repeated failures, potentially causing cascading effects throughout the network infrastructure. The vulnerability can be exploited remotely without authentication, making it particularly dangerous as any network attacker with access to the affected BGP peers can trigger the condition. This aligns with ATT&CK technique T1499.004 which covers network denial of service attacks targeting network infrastructure components.
Mitigation strategies for CVE-2017-2302 require immediate implementation of firmware updates to the affected Junos OS versions, with the specific patch versions varying by release branch. Organizations should also consider disabling the BGP add-path feature on affected devices until proper patches are applied, particularly in environments where the feature is not critical to operations. Network segmentation and monitoring should be implemented to detect unusual patterns of daemon restarts that might indicate exploitation attempts. Security teams should also implement intrusion detection systems capable of identifying malformed BGP messages that could trigger the vulnerability. The recommended approach involves thorough testing of patches in controlled environments before deployment to ensure compatibility with existing network configurations and prevent unintended service disruptions during the remediation process.