CVE-2019-0002 in Junos
Summary
by MITRE
On EX2300 and EX3400 series, stateless firewall filter configuration that uses the action 'policer' in combination with other actions might not take effect. When this issue occurs, the output of the command: show pfe filter hw summary will not show the entry for: RACL group Affected releases are Junos OS on EX2300 and EX3400 series: 15.1X53 versions prior to 15.1X53-D590; 18.1 versions prior to 18.1R3; 18.2 versions prior to 18.2R2. This issue affect both IPv4 and IPv6 firewall filter.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/01/2023
This vulnerability affects Juniper Networks EX2300 and EX3400 series switches where stateless firewall filter configurations utilizing the policer action in conjunction with other actions fail to function properly. The issue manifests when the policer action is combined with additional filter actions, resulting in incomplete or missing firewall rule enforcement. The affected hardware platforms specifically target the EX2300 and EX3400 series switches, which are commonly deployed in enterprise and data center environments for their routing and switching capabilities. The problem impacts both IPv4 and IPv6 firewall filter implementations, creating a significant security gap in network traffic control mechanisms.
The technical flaw stems from a software implementation error within the Junos OS operating system version 15.1X53 prior to 15.1X53-D590, 18.1 versions prior to 18.1R3, and 18.2 versions prior to 18.2R2. When administrators configure firewall filters that include the policer action alongside other actions such as accept, reject, or count, the system fails to properly program the hardware forwarding engine to enforce these combined actions. This results in the policer functionality being bypassed or improperly applied, leading to potential traffic control failures that could allow unauthorized network access or traffic manipulation. The issue is particularly concerning because it affects stateless firewall filters, which are fundamental components for implementing network security policies and traffic management.
The operational impact of this vulnerability is substantial as it undermines the security posture of affected networks by allowing potentially malicious traffic to bypass configured policer-based rate limiting controls. Network administrators who rely on policer actions to manage traffic bandwidth, prevent flooding attacks, or enforce service level agreements may find their security policies ineffective. The problem becomes evident when using the show pfe filter hw summary command, which should display all configured RACL groups but fails to show entries for filters that include the problematic policer action combination. This lack of visibility makes it difficult for network operators to verify that their firewall policies are properly implemented and enforced, creating a situation where security controls appear to be active but are not functioning as intended. The vulnerability affects both IPv4 and IPv6 implementations, meaning that security policies across both protocol families could be compromised simultaneously.
Organizations should immediately apply the relevant Junos OS patches to address this vulnerability, specifically upgrading to versions 15.1X53-D590, 18.1R3, or 18.2R2 for the affected platforms. Network administrators should also conduct thorough audits of their firewall filter configurations to identify any instances where the policer action is used in combination with other actions and verify that these policies are functioning correctly. The mitigation strategy should include implementing alternative traffic management approaches such as using separate policer actions or employing different filter action combinations that do not trigger this bug. Additionally, organizations should monitor their network traffic patterns closely to detect any anomalous behavior that might indicate the vulnerability is allowing unauthorized traffic to bypass normal controls. This issue aligns with CWE-691 - Insufficient Control Flow Management and relates to ATT&CK technique T1566 - Phishing to establish backdoor access, as compromised traffic controls could enable attackers to bypass network security measures and gain unauthorized access to network resources.