CVE-2021-0222 in Junosinfo

Summary

by MITRE • 01/16/2021

A vulnerability in Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) to the device by sending certain crafted protocol packets from an adjacent device with invalid payloads to the device. These crafted packets, which should be discarded, are instead replicated and sent to the RE. Over time, a Denial of Service (DoS) occurs. Continued receipt of these crafted protocol packets will cause an extended Denial of Service (DoS) condition, which may cause wider traffic impact due to protocol flapping. An indication of compromise is to check "monitor interface traffic" on the ingress and egress port packet counts. For each ingress packet, two duplicate packets are seen on egress. This issue can be triggered by IPv4 and IPv6 packets. This issue affects all traffic through the device. This issue affects: Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D53 on EX4300, QFX3500, QFX5100, EX4600; 15.1 versions prior to 15.1R7-S6 on EX4300, QFX3500, QFX5100, EX4600; 16.1 versions prior to 16.1R7-S7 on EX4300, QFX5100, EX4600; 17.1 versions prior to 17.1R2-S11 on EX4300, QFX5100, EX4600; 17.1 versions prior to 117.1R3-S2 on EX4300; 17.2 versions prior to 17.2R1-S9 on EX4300; 17.2 versions prior to 17.2R3-S3 on EX4300, QFX5100, EX4600, QFX5110, QFX5200; 17.3 versions prior to 17.3R2-S5, 17.3R3-S7 on EX4300, QFX5100, EX4600, QFX5110, QFX5200; 17.4 versions prior to 17.4R2-S9, 17.4R3 on EX4300, QFX5100, EX4600, QFX5110, QFX5200; 18.1 versions prior to 18.1R3-S9 on EX4300, QFX5100, EX4600, QFX5110, QFX5200, QFX5210, EX2300, EX3400; 18.2 versions prior to 18.2R2-S7 on EX4300; 18.2 versions prior to 18.2R3-S3 on EX4300, QFX5100, EX4600, QFX5110, QFX5200, QFX5210, EX2300, EX3400; 18.3 versions prior to 18.3R2-S3, on EX4300; 18.3 versions prior to 18.3R1-S7, 18.3R3-S1 on EX4300, QFX5100, EX4600, QFX5110, QFX5200, QFX5210, QFX5120, EX4650, EX2300, EX3400; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on EX4300, QFX5100, EX4600, QFX5110, QFX5200, QFX5210, QFX5120, EX4650, EX2300, EX3400; 19.1 versions prior to 19.1R1-S4, 19.1R2-S1, 19.1R3 on EX4300, QFX5100, EX4600, QFX5110, QFX5200, QFX5210, QFX5120, EX4650, EX2300, EX3400; 19.2 versions prior to 19.2R1-S4, 19.2R2 on EX4300; 19.2 versions prior to 19.2R1-S3, 19.2R2 on QFX5100, EX4600, QFX5110, QFX5200, QFX5210, QFX5120, EX4650, EX2300, EX3400; 19.3 versions prior to 19.3R2-S1, 19.3R3 on EX4300; 19.3 versions prior to 19.3R1-S1, 19.3R2, 19.3R3 on QFX5100, EX4600, QFX5110, QFX5200, QFX5210, QFX5120, EX4650, EX2300, EX3400;

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 02/15/2021

This vulnerability represents a significant denial of service weakness in Juniper Networks Junos OS affecting multiple device families including EX4300, QFX3500, QFX5100, and EX4600 series switches. The flaw manifests when the device receives crafted protocol packets from adjacent network devices containing invalid payloads that should normally be discarded by the system. Instead of proper packet filtering and discard behavior, the device replicates these malformed packets and forwards them to the Routing Engine, creating a cascading effect that consumes system resources and ultimately leads to complete service disruption. The vulnerability specifically impacts both ipv4 and ipv6 packet protocols, making it particularly dangerous as it can be exploited across different network addressing schemes. This issue demonstrates a fundamental flaw in the packet processing logic where invalid packets bypass normal validation mechanisms and trigger unintended replication behavior within the forwarding plane.

The technical implementation of this vulnerability stems from improper handling of malformed packets within the Junos OS network stack, particularly in how the system manages packet replication and forwarding operations. When an attacker sends specially crafted packets with invalid payload structures, the device's packet processing logic fails to properly validate these inputs and instead treats them as legitimate traffic that requires replication. This replication occurs at the hardware level where packets are duplicated and sent to the Routing Engine, causing resource exhaustion and system instability. The issue affects all traffic passing through the device because it operates at the fundamental packet processing level rather than specific protocol handling. The replication behavior creates a condition where each ingress packet generates multiple duplicate packets on egress, making the problem easily detectable through monitoring tools that track interface traffic statistics. According to CWE standards, this vulnerability maps to CWE-129, representing improper validation of input boundaries, and CWE-400, indicating unchecked resource consumption.

The operational impact of this vulnerability extends beyond simple service disruption to potentially causing widespread network instability and protocol flapping across affected networks. When sustained, the vulnerability can maintain extended denial of service conditions that significantly impact network availability and performance. The replication of packets creates a resource exhaustion scenario where the Routing Engine becomes overwhelmed with duplicate traffic, leading to system instability and potential complete device failure. Network administrators can identify this compromise by monitoring interface traffic through the "monitor interface traffic" command, where they will observe that ingress packets are generating duplicate egress packets, indicating the replication behavior. The vulnerability affects multiple Junos OS versions across different release branches, making it particularly challenging to remediate as organizations must identify and patch numerous device configurations. The widespread impact across various device families including EX4300, QFX5100, EX4600, QFX5110, QFX5200, and QFX5210 series devices means that network operators must carefully coordinate patching efforts across their entire infrastructure. The issue affects both IPv4 and IPv6 traffic, requiring organizations to implement security measures that address both protocol versions.

Mitigation strategies for this vulnerability require immediate patching of affected Junos OS versions across all impacted device families. Organizations should prioritize updating their network infrastructure to the latest stable releases that contain the necessary fixes for this packet replication flaw. Network administrators should implement traffic filtering rules at network boundaries to prevent adjacent devices from sending malformed packets to affected systems, though this approach provides only partial protection as the vulnerability can be triggered by legitimate network traffic. The recommended approach involves applying official Juniper security patches and firmware updates to all affected devices, which address the underlying packet validation logic that causes the unintended replication behavior. Monitoring systems should be configured to detect unusual packet duplication patterns and alert administrators to potential exploitation attempts. Network segmentation and access control measures can help limit the attack surface by preventing unauthorized adjacent devices from communicating with affected switches. Additionally, implementing rate limiting and packet filtering rules at the network edge can help mitigate the impact of sustained attacks. According to ATT&CK framework, this vulnerability aligns with T1498, representing network denial of service attacks, and T1595, indicating network infiltration through adjacent systems. Organizations should also consider implementing network-wide monitoring solutions that can detect the specific packet duplication patterns associated with this vulnerability, enabling proactive threat detection and response. The patching process should be carefully coordinated across the network infrastructure to avoid service disruption during the remediation phase.

Reservation

10/27/2020

Disclosure

01/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00639

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!