CVE-2021-0263 in Junos OS
Summary
by MITRE • 04/23/2021
A Data Processing vulnerability in the Multi-Service process (multi-svcs) on the FPC of Juniper Networks Junos OS on the PTX Series routers may lead to the process becoming unresponsive, ultimately affecting traffic forwarding, allowing an attacker to cause a Denial of Service (DoS) condition . The Multi-Service Process running on the FPC is responsible for handling sampling-related operations when a J-Flow configuration is activated. This can occur during periods of heavy route churn, causing the Multi-Service Process to stop processing updates, without consuming any further updates from kernel. This back pressure towards the kernel affects further dynamic updates from other processes in the system, including RPD, causing a KRT-STUCK condition and traffic forwarding issues. An administrator can monitor the following command to check if there is the KRT queue is stuck: user@device > show krt state ... Number of async queue entries: 65007 show chassis alarms 2 alarms currently active Alarm time Class Description 2020-10-11 04:33:45 PDT Minor Potential slow peers are: MSP(FPC1-PIC0) MSP(FPC3-PIC0) MSP(FPC4-PIC0) Logs: Oct 11 04:33:44.672 2020 test /kernel: rts_peer_cp_recv_timeout : Bit set for msp8 as it is stuck Oct 11 04:35:56.000 2020 test-lab fpc4 user.err gldfpc-multi-svcs.elf: Error in parsing composite nexthop Oct 11 04:35:56.000 2020 test-lab fpc4 user.err gldfpc-multi-svcs.elf: composite nexthop parsing error Oct 11 04:43:05 2020 test /kernel: rt_pfe_veto: Possible slowest client is msp38. States processed - 65865741. States to be processed - 0 Oct 11 04:55:55 2020 test /kernel: rt_pfe_veto: Memory usage of M_RTNEXTHOP type = (0) Max size possible for M_RTNEXTHOP type = (8311787520) Current delayed unref = (60000), Current unique delayed unref = (10896), Max delayed unref on this platform = (40000) Current delayed weight unref = (71426) Max delayed weight unref on this platform= (400000) curproc = rpd Oct 11 04:56:00 2020 test /kernel: rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2 err 55, rtsm_id 5:-1, msg type 2 This issue only affects PTX Series devices. No other products or platforms are affected by this vulnerability. This issue affects Juniper Networks Junos OS on PTX Series: 18.2 versions prior to 18.2R3-S7; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S8, 18.4R3-S7; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R3-S1; 19.3 versions prior to 19.3R3-S1; 19.4 versions prior to 19.4R2-S4, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2; 20.3 versions prior to 20.3R1-S2, 20.3R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.2R1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/27/2021
The vulnerability described in CVE-2021-0263 represents a critical data processing flaw within the Multi-Service process (multi-svcs) operating on the Flexible PIC Concentrator (FPC) of Juniper Networks PTX Series routers. This issue stems from improper handling of sampling-related operations when J-Flow configurations are active, creating a cascading failure condition that ultimately results in denial of service. The vulnerability specifically targets the multi-svcs process responsible for processing routing updates and sampling data, which when compromised, creates a back pressure mechanism that affects the entire routing subsystem.
The technical root cause manifests during periods of heavy route churn when the Multi-Service Process becomes unresponsive to kernel updates without consuming further data from the kernel. This creates a condition where the process stops processing updates entirely, leading to a back pressure effect that propagates throughout the system. The vulnerability operates through a specific failure pattern where the process encounters errors during composite nexthop parsing, as evidenced by log entries showing "Error in parsing composite nexthop" and "composite nexthop parsing error." This parsing failure causes the process to become stuck, leading to a KRT-STUCK condition that affects the Routing Process Daemon (RPD) and other system components. The issue follows a well-defined pattern of increasing queue entries in the KRT system, with the number of async queue entries reaching 65007, indicating significant back pressure.
The operational impact of this vulnerability extends far beyond simple process unresponsiveness, creating a comprehensive denial of service condition that affects traffic forwarding capabilities. When the Multi-Service Process becomes unresponsive, it creates a cascading failure that impacts the entire routing infrastructure of the PTX Series device. The KRT-STUCK condition, as monitored through the "show krt state" command, demonstrates the severity of the issue where routing updates cannot be properly processed and forwarded. The system exhibits symptoms including slow peer notifications, memory usage warnings related to M_RTNEXTHOP types, and excessive delayed route/nexthop unreferences that exceed platform limits. This behavior aligns with ATT&CK technique T1499.004 for network denial of service and CWE-400 for unchecked resource consumption, where the system's inability to handle routing updates properly creates a resource exhaustion scenario. The vulnerability is particularly dangerous because it affects the fundamental routing capabilities of the device, potentially disrupting network connectivity for all traffic passing through the affected PTX Series routers.
Mitigation strategies for CVE-2021-0263 primarily focus on applying the appropriate software patches released by Juniper Networks. Administrators should upgrade their PTX Series devices to the patched versions specified in the advisory, which includes various releases from 18.2R3-S7 through 20.3R2. The vulnerability affects specific Junos OS versions, with no impact on versions prior to 18.2R1, making version verification crucial for proper remediation. Network administrators should also implement monitoring procedures to detect early signs of the vulnerability through the "show krt state" command and checking for KRT queue stuck conditions. Additionally, implementing temporary workarounds such as disabling J-Flow configurations when route churn is expected to be high can provide temporary relief while patches are deployed. The vulnerability's impact on routing processes makes it particularly important to maintain comprehensive network monitoring and alerting systems to detect the KRT-STUCK conditions before they escalate into complete service outages. Organizations should also consider implementing network segmentation strategies to limit the impact of such failures to specific network segments rather than allowing complete routing disruption across the entire network infrastructure.