CVE-2020-1655 in Junosinfo

Summary

by MITRE

When a device running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by L2TP, MAP-E, GRE, and IPIP, the packet forwarding engine (PFE) will become disabled upon receipt of large packets requiring fragmentation, generating the following error messages: [LOG: Err] MQSS(0): WO: Packet Error - Error Packets 1, Connection 29 [LOG: Err] eachip_hmcif_rx_intr_handler(7259): EA[0:0]: HMCIF Rx: Injected checksum error detected on WO response - Chunk Address 0x0 [LOG: Err] MQSS(0): DRD: RORD1: CMD reorder ID error - Command 11, Reorder ID 1838, QID 0 [LOG: Err] MQSS(0): DRD: UNROLL0: HMC chunk length error in stage 5 - Chunk Address: 0x4321f3 [LOG: Err] MQSS(0): DRD: UNROLL0: HMC chunk address error in stage 5 - Chunk Address: 0x0 [LOG: Notice] Error: /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc), scope: pfe, category: functional, severity: major, module: MQSS(0), type: DRD_RORD_ENG_INT: CMD FSM State Error [LOG: Notice] Performing action cmalarm for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major [LOG: Notice] Performing action get-state for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major [LOG: Notice] Performing action disable-pfe for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major By continuously sending fragmented packets that cannot be reassembled, an attacker can repeatedly disable the PFE causing a sustained Denial of Service (DoS). This issue affects Juniper Networks Junos OS: 17.2 versions prior to 17.2R3-S4 on MX Series; 17.3 versions prior to 17.3R3-S8 on MX Series; 17.4 versions prior to 17.4R2-S10, 17.4R3-S2 on MX Series; 18.1 versions prior to 18.1R3-S10 on MX Series; 18.2 versions prior to 18.2R3-S3 on MX Series; 18.2X75 versions prior to 18.2X75-D41, 18.2X75-D430, 18.2X75-D65 on MX Series; 18.3 versions prior to 18.3R1-S7, 18.3R2-S4, 18.3R3-S1 on MX Series; 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3 on MX Series; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3 on MX Series; 19.2 versions prior to 19.2R1-S4, 19.2R2 on MX Series; 19.3 versions prior to 19.3R2-S2, 19.3R3 on MX Series. This issue is specific to inline IP reassembly, introduced in Junos OS 17.2. Versions of Junos OS prior to 17.2 are unaffected by this vulnerability.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 11/04/2020

The vulnerability described in CVE-2020-1655 represents a critical denial of service flaw within Juniper Networks Junos OS operating on specific MX Series routers. This weakness manifests when devices are configured with MPC7, MPC8, or MPC9 line cards and utilize inline IP reassembly for protocols including L2TP, MAP-E, GRE, and IPIP. The underlying technical issue resides in the packet forwarding engine's handling of large packets that require fragmentation, specifically when these packets cannot be successfully reassembled by the system. The vulnerability is categorized under CWE-121 as a buffer overflow condition, though it manifests more precisely as a command finite state machine error within the MQSS component of the PFE architecture. When malformed fragmented packets are received, the system generates a series of error messages indicating packet errors, checksum failures, and memory management issues that ultimately lead to the complete disablement of the PFE.

The operational impact of this vulnerability extends beyond simple service disruption to create a persistent denial of service condition that can be exploited by remote attackers. The attack vector requires only the transmission of specially crafted fragmented packets that cannot be reassembled, which triggers a cascade of errors within the MQSS module's command finite state machine. Each error condition causes the system to perform automatic actions including disabling the PFE, which effectively removes the router from network operations. This vulnerability is particularly concerning because it operates at the hardware level within the PFE, making it difficult to mitigate through software-based solutions alone. The attack can be sustained indefinitely as long as the attacker continues to send fragmented packets, causing repeated PFE disablement and requiring manual intervention or device reboot to restore normal operations.

Security implications of this vulnerability align with ATT&CK technique T1498, which covers network denial of service attacks, and T1566, covering credential harvesting through social engineering, though the latter is not directly applicable here. The vulnerability affects a wide range of Junos OS versions across multiple release branches, specifically targeting the inline IP reassembly feature introduced in version 17.2. Mitigation strategies must address both the immediate configuration changes and long-term system hardening. Organizations should immediately disable inline IP reassembly on affected devices when possible, though this may impact functionality for certain protocols. The most effective remediation involves upgrading to patched versions of Junos OS as specified in the vulnerability advisory, which addresses the root cause in the packet forwarding engine's handling of fragmented packets. Additionally, network segmentation and traffic filtering should be implemented to limit the attack surface, and monitoring should be enhanced to detect unusual error patterns that may indicate exploitation attempts. The vulnerability demonstrates the importance of thorough testing of new features in network operating systems and highlights the potential for seemingly minor configuration options to create catastrophic system failures when combined with specific hardware configurations.

Sources

Want to know what is going to be exploited?

We predict KEV entries!