CVE-2020-1679 in Junos
Summary
by MITRE • 10/17/2020
On Juniper Networks PTX and QFX Series devices with packet sampling configured using tunnel-observation mpls-over-udp, sampling of a malformed packet can cause the Kernel Routing Table (KRT) queue to become stuck. KRT is the module within the Routing Process Daemon (RPD) that synchronized the routing tables with the forwarding tables in the kernel. This table is then synchronized to the Packet Forwarding Engine (PFE) via the KRT queue. Thus, when KRT queue become stuck, it can lead to unexpected packet forwarding issues. An administrator can monitor the following command to check if there is the KRT queue is stuck: user@device > show krt state ... Number of async queue entries: 65007
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/20/2020
The vulnerability described in CVE-2020-1679 represents a critical issue within Juniper Networks PTX and QFX Series network devices that affects the kernel routing table synchronization mechanism. This flaw specifically manifests when packet sampling is configured using the tunnel-observation mpls-over-udp feature, creating a scenario where malformed packets can trigger a cascade of failures in the routing infrastructure. The vulnerability operates at the intersection of network packet processing and kernel-level routing table management, making it particularly dangerous for enterprise network infrastructure where consistent packet forwarding is paramount for business continuity.
The technical root cause of this vulnerability lies in the improper handling of malformed packets within the kernel routing table queue mechanism. When such packets are processed through the tunnel-observation mpls-over-udp sampling configuration, the Kernel Routing Table (KRT) queue becomes indefinitely stuck, preventing normal synchronization between the routing process daemon and the kernel forwarding tables. This queue stagnation occurs because the system fails to properly terminate or reset the queue state when encountering malformed packet structures, leading to a memory leak scenario that eventually exhausts available resources. The issue is classified under CWE-129 as an insufficient input validation, specifically concerning malformed packet handling within network processing modules.
The operational impact of this vulnerability extends far beyond simple packet forwarding disruptions, potentially causing complete network service degradation across affected devices. When the KRT queue becomes stuck, the routing table synchronization process halts, meaning that new routing information cannot be properly propagated from the Routing Process Daemon to the Packet Forwarding Engine. This creates a state where the device continues to operate but with stale or incomplete routing information, leading to unpredictable packet forwarding behavior including black holes, routing loops, or complete forwarding failures. Network administrators monitoring the system through the 'show krt state' command will observe abnormal queue entry counts, with the example showing 65007 entries indicating the queue has become saturated and non-functional.
Mitigation strategies for this vulnerability require immediate attention from network security teams, as the issue can be exploited to cause significant service disruption without requiring elevated privileges. The primary recommendation involves disabling the problematic tunnel-observation mpls-over-udp configuration until a firmware patch is applied, which aligns with ATT&CK technique T1070.004 for indicator removal and system modification. Network administrators should also implement monitoring procedures to detect abnormal KRT queue behavior through regular state checks and establish automated alerting systems when queue entry counts exceed normal operational thresholds. Additionally, organizations should consider implementing network segmentation and access controls to limit potential attack vectors, while maintaining detailed logging of routing table changes to facilitate rapid incident response. The vulnerability demonstrates the critical importance of proper input validation in network infrastructure components and highlights the need for robust error handling mechanisms in high-availability network equipment.