CVE-2021-0293 in Junos OS
Summary
by MITRE • 07/16/2021
A vulnerability in Juniper Networks Junos OS caused by Missing Release of Memory after Effective Lifetime leads to a memory leak each time the CLI command 'show system connections extensive' is executed. The amount of memory leaked on each execution depends on the number of TCP connections from and to the system. Repeated execution will cause more memory to leak and eventually daemons that need to allocate additionally memory and ultimately the kernel to crash, which will result in traffic loss. Continued execution of this command will cause a sustained Denial of Service (DoS) condition. An administrator can use the following CLI command to monitor for increase in memory consumption of the netstat process, if it exists: user@junos> show system processes extensive | match "username|netstat" PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 21181 root 100 0 5458M 4913M CPU3 2 0:59 97.27% netstat The following log message might be observed if this issue happens: kernel: %KERN-3: pid 21181 (netstat), uid 0, was killed: out of swap space This issue affects Juniper Networks Junos OS 18.2 versions prior to 18.2R2-S8, 18.2R3-S7. 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S7; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S1; 19.4 versions prior to 19.4R1-S4, 19.4R2-S3, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S1, 20.3R2; This issue does not affect Juniper Networks Junos OS versions prior to 18.2R1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/19/2021
This vulnerability represents a classic memory management flaw in Juniper Networks Junos OS that manifests through improper resource handling during command execution. The issue stems from a failure to properly release allocated memory after its effective lifetime has concluded, specifically when processing the CLI command 'show system connections extensive'. This memory leak occurs incrementally with each command invocation and scales based on the number of active TCP connections within the system. The vulnerability falls under the CWE-401 weakness category, which specifically addresses the failure to release memory resources after they are no longer needed. The problem is particularly insidious because it operates at the daemon level, where repeated execution causes progressive memory consumption that eventually impacts critical system processes.
The operational impact of this vulnerability extends beyond simple resource exhaustion to create a sustained denial of service condition that can severely disrupt network operations. When the netstat process consumes excessive memory, it can trigger kernel-level memory allocation failures that result in process termination and ultimately system instability. The observed behavior demonstrates how the memory leak accumulates over time, with the process consuming increasingly larger portions of system resources until the kernel is forced to terminate the process due to insufficient swap space. This creates a cascading effect where network connectivity becomes compromised as the system struggles to maintain operational memory resources. The vulnerability affects multiple Junos OS version lines, spanning from 18.2 through 20.3 releases, indicating this was a persistent issue across several major version branches.
The technical exploitation of this vulnerability requires only standard administrative access to execute the targeted CLI command, making it particularly dangerous as it can be triggered by both authorized administrators and malicious actors with legitimate access. The monitoring indicators provided by the vendor show clear signs of memory consumption patterns that can be detected through standard system administration tools, with the netstat process exhibiting CPU and memory usage patterns that spike dramatically over time. This vulnerability directly maps to ATT&CK technique T1499.004, which describes resource exhaustion attacks that target system memory and storage resources. The memory leak behavior also aligns with the broader category of software faults that can be exploited to create persistent service disruptions, particularly in network infrastructure devices where availability is critical.
Mitigation strategies for this vulnerability involve immediate patching of affected Junos OS versions to the recommended security releases that address the memory management flaw. Organizations should implement monitoring procedures to track memory consumption patterns of the netstat process and other system daemons that may exhibit similar behaviors. The recommended approach includes establishing baseline memory usage measurements and implementing alerting mechanisms when memory consumption exceeds normal operational thresholds. Network administrators should also consider temporarily restricting access to the specific CLI command that triggers the vulnerability until patches are deployed. Additionally, organizations should conduct comprehensive vulnerability assessments to identify other potential memory management issues within their Junos OS deployments, as this vulnerability demonstrates how seemingly minor memory handling flaws can compound into significant operational disruptions. The patching process should be prioritized based on the criticality of the affected network infrastructure components and the potential impact of service disruption.