CVE-2021-0221 in Junos
Summary
by MITRE • 01/16/2021
In an EVPN/VXLAN scenario, if an IRB interface with a virtual gateway address (VGA) is configured on a PE, a traffic loop may occur upon receipt of specific IP multicast traffic. The traffic loop will cause interface traffic to increase abnormally, ultimately leading to a Denial of Service (DoS) in packet processing. The following command could be used to monitor the interface traffic: user@junos> monitor interface traffic Interface Link Input packets (pps) Output packets (pps) et-0/0/1 Up 6492089274364 (70994959) 6492089235319 (70994956) et-0/0/25 Up 343458103 (1) 156844 (0) ae0 Up 9132519197257 (70994959) 9132519139454 (70994956) This issue affects Juniper Networks Junos OS on QFX Series: all versions prior to 17.3R3-S10; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S6; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S5, 18.4R3-S5; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S3; 19.2 versions prior to 19.2R1-S5, 19.2R3-S1; 19.3 versions prior to 19.3R2-S5, 19.3R3; 19.4 versions prior to 19.4R2-S2, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R1-S2, 20.2R2.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/15/2021
This vulnerability exists within Juniper Networks Junos OS implementations on QFX Series devices when operating in EVPN/VXLAN environments with IRB interfaces configured with virtual gateway addresses. The flaw manifests as a traffic loop condition that occurs specifically when processing certain IP multicast traffic patterns, creating a recursive forwarding scenario that consumes excessive packet processing resources. The vulnerability is particularly concerning because it can lead to complete denial of service conditions where normal network operations become impossible due to resource exhaustion. The issue is rooted in how the routing and forwarding plane handles multicast traffic when IRB interfaces are present, creating an infinite loop where packets are continuously forwarded between interfaces without proper termination mechanisms.
The technical implementation of this vulnerability stems from improper handling of multicast packet forwarding within the EVPN/VXLAN control plane when virtual gateway addresses are configured on IRB interfaces. When multicast traffic arrives at the PE device with specific characteristics, the packet processing logic fails to properly identify that the traffic should be dropped or properly handled rather than being recursively forwarded. This behavior creates a condition where packets continuously circulate through the forwarding path, causing interface traffic counters to show abnormal increases in packet processing rates. The monitoring data provided demonstrates the exponential growth in packet processing rates on affected interfaces, with input and output packet rates increasing dramatically while maintaining high processing loads. This pattern indicates a recursive forwarding loop where packets are repeatedly processed through the same forwarding path without proper termination or filtering.
The operational impact of this vulnerability extends beyond simple performance degradation to complete service disruption within affected networks. Network administrators may observe sustained high CPU utilization, abnormal interface traffic patterns, and ultimately complete forwarding plane exhaustion that renders network services unavailable. The vulnerability affects multiple Junos OS versions across several release branches, indicating a widespread issue that would impact organizations with various network equipment deployments. The traffic loop condition causes exponential resource consumption that can overwhelm the packet processing capabilities of the device, leading to complete service interruption. Organizations relying on EVPN/VXLAN networks with IRB interfaces configured with virtual gateway addresses face significant risk of operational disruption, particularly during multicast traffic events that trigger the vulnerable code path.
Mitigation strategies for this vulnerability require immediate implementation of device firmware updates to affected Junos OS versions that contain the necessary patches. Network administrators should prioritize updating all affected devices to the minimum recommended versions specified in the advisory, which includes various releases starting from 17.3R3-S10 through 20.2R2. Additionally, temporary workarounds may include disabling multicast forwarding on affected interfaces or implementing access control lists to filter specific multicast traffic patterns that trigger the vulnerability. Organizations should also implement comprehensive monitoring of interface traffic patterns to detect early signs of the traffic loop condition, as the abnormal packet processing rates provide clear indicators of vulnerability exploitation. The vulnerability aligns with CWE-121 and CWE-122 categories related to buffer overflow and memory corruption issues, though this specific implementation represents a logic flaw in packet forwarding rather than a traditional memory safety issue. From an ATT&CK perspective, this vulnerability maps to T1498.001 (Direct Network Damage) and T1499.004 (Resource Hijacking) as it enables attackers to consume network resources and disrupt service availability through crafted multicast traffic patterns.