CVE-2020-1685 in Junos
Summary
by MITRE • 10/17/2020
When configuring stateless firewall filters in Juniper Networks EX4600 and QFX 5000 Series devices using Virtual Extensible LAN protocol (VXLAN), the discard action will fail to discard traffic under certain conditions. Given a firewall filter configuration similar to: family ethernet-switching { filter L2-VLAN { term ALLOW { from { user-vlan-id 100; } then { accept; } } term NON-MATCH { then { discard; } } when there is only one term containing a 'user-vlan-id' match condition, and no other terms in the firewall filter except discard, the discard action for non-matching traffic will only discard traffic with the same VLAN ID specified under 'user-vlan-id'. Other traffic (e.g. VLAN ID 200) will not be discarded. This unexpected behavior can lead to unintended traffic passing through the interface where the firewall filter is applied. This issue only affects systems using VXLANs. This issue affects Juniper Networks Junos OS on QFX5K Series: 18.1 versions prior to 18.1R3-S7, except 18.1R3; 18.2 versions prior to 18.2R2-S7, 18.2R3-S1; 18.3 versions prior to 18.3R1-S5, 18.3R2-S4, 18.3R3; 18.4 versions prior to 18.4R1-S7, 18.4R2-S1, 18.4R3; 19.1 versions prior to 19.1R1-S5, 19.1R2; 19.2 versions prior to 19.2R1-S5, 19.2R2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/20/2020
This vulnerability represents a critical flaw in Juniper Networks EX4600 and QFX 5000 Series network devices that affects the stateless firewall filtering mechanism when operating with Virtual Extensible LAN protocol. The issue manifests specifically when configuring firewall filters using the ethernet-switching family with VXLAN encapsulation, creating a dangerous misconfiguration where traffic discard actions fail to properly filter packets. The vulnerability stems from an implementation error in the Junos OS firewall processing logic that incorrectly handles the discard action when only a single user-vlan-id match condition exists within a firewall filter configuration. According to CWE-284, this represents an improper access control vulnerability where the system fails to properly enforce traffic filtering rules, allowing unauthorized traffic to bypass security controls. The flaw operates at the network layer, specifically within the ethernet-switching family processing, and affects the fundamental security posture of devices configured with VXLAN traffic.
The technical implementation flaw occurs when a firewall filter contains only one term with a user-vlan-id match condition and a subsequent discard action for non-matching traffic. Under normal circumstances, the discard action should prevent all traffic that does not match the specified VLAN ID from passing through the interface. However, due to the bug, the discard action only operates correctly for traffic matching the specific VLAN ID defined in the user-vlan-id clause. Traffic with different VLAN IDs, such as VLAN 200 when the configuration specifies VLAN 100, will bypass the discard action and continue to flow through the interface. This creates a security gap where malicious actors could potentially exploit this behavior to inject unauthorized traffic into networks, particularly in VXLAN environments where network segmentation is critical for security isolation. The vulnerability aligns with ATT&CK technique T1046 which involves network service scanning and exploitation of network filtering mechanisms.
The operational impact of this vulnerability is significant for organizations relying on Juniper network infrastructure for secure traffic filtering and VLAN isolation. When deployed in VXLAN environments, the vulnerability can compromise network segmentation policies and allow lateral movement within networks where VLAN-based security controls are expected to function. The issue affects multiple Junos OS versions across different release streams, making it widespread across various network deployments that utilize the affected hardware platforms. Organizations may experience unauthorized traffic flow that bypasses intended security controls, potentially leading to data exfiltration, network infiltration, or denial of service conditions. The vulnerability particularly impacts environments where network security relies heavily on proper VLAN filtering and where VXLAN is used for overlay network implementation. According to industry security frameworks, this represents a configuration-based access control failure that can be exploited to undermine network security boundaries. The affected versions span across multiple Junos OS release cycles, indicating that the flaw has persisted for an extended period and affects organizations that may not have been actively monitoring for this specific vulnerability.
Mitigation strategies should focus on immediate patching of affected Junos OS versions with the appropriate security updates provided by Juniper Networks, specifically targeting the listed vulnerable release versions. Organizations should also implement additional monitoring for unexpected traffic patterns on interfaces where VXLAN filtering is expected to be active. Network administrators should consider implementing redundant filtering mechanisms or alternative security controls to compensate for the vulnerability while patches are deployed. The configuration should be reviewed to ensure that firewall filters containing user-vlan-id match conditions are properly structured to avoid triggering the bug, potentially by adding additional terms or using alternative matching criteria. Regular security assessments of network filtering configurations should be conducted to identify similar misconfigurations that may exist in other parts of the network infrastructure. Organizations should also consider implementing network traffic analysis tools to detect anomalous traffic patterns that might indicate exploitation of this vulnerability. The remediation process should include comprehensive testing of firewall configurations after applying patches to ensure that the discard functionality operates correctly for all VLAN IDs and traffic types.