CVE-2021-0208 in Junosinfo

Summary

by MITRE • 01/16/2021

An improper input validation vulnerability in the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS allows an attacker to send a malformed RSVP packet when bidirectional LSPs are in use, which when received by an egress router crashes the RPD causing a Denial of Service (DoS) condition. Continued receipt of the packet will sustain the Denial of Service. This issue affects: Juniper Networks Junos OS: All versions prior to 17.3R3-S10 except 15.1X49-D240 for SRX series; 17.4 versions prior to 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R3-S2; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S2; 19.1 versions prior to 19.1R1-S5, 19.1R3-S3; 19.2 versions prior to 19.2R3; 19.3 versions prior to 19.3R2-S5, 19.3R3; 19.4 versions prior to 19.4R2-S2, 19.4R3-S1; 20.1 versions prior to 20.1R1-S4, 20.1R2; 15.1X49 versions prior to 15.1X49-D240 on SRX Series. Juniper Networks Junos OS Evolved: 19.3 versions prior to 19.3R2-S5-EVO; 19.4 versions prior to 19.4R2-S2-EVO; 20.1 versions prior to 20.1R1-S4-EVO.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/14/2021

The vulnerability identified as CVE-2021-0208 represents a critical improper input validation flaw within the Routing Protocol Daemon (RPD) service of Juniper Networks Junos OS operating systems. This weakness specifically manifests when bidirectional Label Switched Paths (LSPs) are active within the network infrastructure, creating a pathway for malicious actors to exploit the system through carefully crafted RSVP (Resource Reservation Protocol) packets. The RPD service, which is responsible for managing routing protocols and maintaining network connectivity, becomes vulnerable to exploitation when processing malformed RSVP messages that are designed to trigger memory corruption or resource exhaustion conditions. This flaw exists at the intersection of network protocol implementation and input sanitization, where the daemon fails to properly validate the structure and content of incoming RSVP packets before processing them.

The technical exploitation of this vulnerability occurs through the manipulation of RSVP packet formats that are typically used to establish and maintain bidirectional LSPs in MPLS networks. When an egress router receives a malformed RSVP packet designed to trigger the input validation flaw, the RPD process crashes and terminates unexpectedly, leading to a complete denial of service condition for routing services on that device. The crash occurs because the RPD service does not adequately validate packet headers, TLV (Type-Length-Value) structures, or parameter values within the RSVP protocol message, allowing attackers to send packets that contain unexpected or malformed data sequences. This type of vulnerability falls under the CWE-20 category of "Improper Input Validation" and represents a classic example of how protocol implementation flaws can be leveraged to achieve system compromise. The attack vector is particularly concerning as it requires minimal privileges and can be executed remotely, making it accessible to attackers who may not have direct network access to the target device.

The operational impact of this vulnerability extends beyond simple service disruption, as it can severely compromise network reliability and availability in production environments. When the RPD daemon crashes, the router loses its ability to process routing updates, maintain LSP connections, and forward traffic through the MPLS network, potentially causing cascading failures across interconnected network segments. Network administrators may experience extended downtime as the system attempts to recover from the crash, and in some cases, the daemon may fail to restart automatically, requiring manual intervention. The sustained denial of service condition means that continued receipt of the malicious packets will keep the router in a crashed state, preventing normal network operations and potentially causing routing loops or black holes in the network topology. This vulnerability specifically targets the core routing functionality of Juniper devices, making it a high-impact issue for organizations that rely on MPLS-based network infrastructure for their critical communications.

Organizations affected by this vulnerability should immediately implement mitigation strategies focusing on network segmentation and packet filtering to prevent unauthorized access to routing protocols. The most effective immediate solution involves applying the vendor-provided security patches and firmware updates that address the input validation flaw in the RPD service. Juniper has released specific versions of their Junos OS that contain fixes for this vulnerability, and organizations should upgrade to these patched versions as soon as possible. Network administrators should also consider implementing ingress filtering rules that block RSVP traffic from untrusted sources, particularly when bidirectional LSPs are not actively in use within their network segments. Additional mitigations include monitoring for unusual routing protocol traffic patterns and implementing automated alerting systems that can detect potential exploitation attempts. The vulnerability's classification under ATT&CK technique T1498.001 "Network Denial of Service" indicates that organizations should also consider their incident response procedures and ensure that network availability is maintained through redundant routing paths and proper failover mechanisms. Organizations should also conduct thorough vulnerability assessments to identify any other devices running affected versions of Junos OS and ensure comprehensive patch management across their entire network infrastructure.

Reservation

10/27/2020

Disclosure

01/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00650

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!