CVE-2021-31364 in Junos OS
Summary
by MITRE • 10/19/2021
An Improper Check for Unusual or Exceptional Conditions vulnerability combined with a Race Condition in the flow daemon (flowd) of Juniper Networks Junos OS on SRX300 Series, SRX500 Series, SRX1500, and SRX5000 Series with SPC2 allows an unauthenticated network based attacker sending specific traffic to cause a crash of the flowd/srxpfe process, responsible for traffic forwarding in SRX, which will cause a Denial of Service (DoS). Continued receipt and processing of this specific traffic will create a sustained Denial of Service (DoS) condition. This issue can only occur when specific packets are trying to create the same session and logging for session-close is configured as a policy action. Affected platforms are: SRX300 Series, SRX500 Series, SRX1500, and SRX5000 Series with SPC2. Not affected platforms are: SRX4000 Series, SRX5000 Series with SPC3, and vSRX Series. This issue affects Juniper Networks Junos OS SRX300 Series, SRX500 Series, SRX1500, and SRX5000 Series with SPC2: All versions prior to 17.4R3-S5; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R1-S7, 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3; 20.3 versions prior to 20.3R2-S1, 20.3R3; 20.4 versions prior to 20.4R2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/27/2021
The vulnerability identified as CVE-2021-31364 represents a critical security flaw in Juniper Networks Junos OS affecting specific SRX series devices. This issue combines elements of improper condition checking with race conditions within the flow daemon (flowd) component, creating a pathway for unauthenticated network attackers to induce system crashes. The vulnerability specifically targets devices equipped with SPC2 hardware including SRX300, SRX500, SRX1500, and SRX5000 Series platforms. The flaw manifests when attackers send carefully crafted packets that attempt to establish identical sessions while session-close logging is configured as a policy action. This combination creates a scenario where the flowd/srxpfe processes responsible for traffic forwarding become unstable and crash, resulting in immediate denial of service conditions.
The technical implementation of this vulnerability stems from inadequate validation of exceptional conditions within the session handling logic of the flow daemon. According to CWE classification, this represents a variant of CWE-703 - Improper Check for Unusual Conditions, where the system fails to properly handle edge cases or abnormal traffic patterns that should be rejected or managed gracefully. The race condition aspect further compounds the issue by creating timing dependencies that allow concurrent access to shared resources without proper synchronization mechanisms. This aligns with ATT&CK technique T1499.004 - Endpoint Denial of Service, where adversaries exploit software vulnerabilities to cause system instability and service disruption.
The operational impact of this vulnerability extends beyond simple service interruption, as continued exploitation can maintain sustained denial of service conditions. When attackers repeatedly send the specific packet sequences that trigger the vulnerability, the system remains in a state of continuous crash-recovery cycles, effectively rendering the device incapable of processing legitimate network traffic. The affected platforms demonstrate a broad range of Junos OS versions across multiple release branches, indicating this flaw has persisted across several major version releases. The vulnerability's exploitation requires only network-based access without authentication, making it particularly dangerous as it can be triggered remotely by any attacker with network connectivity to the affected device.
Mitigation strategies for CVE-2021-31364 require immediate deployment of official Juniper security patches and firmware updates for all affected devices. Organizations should prioritize upgrading to the patched versions specified in the advisory, which include various releases from 17.4R3-S5 through 20.4R2, depending on the specific Junos OS version currently running. Network administrators should also consider implementing temporary traffic filtering rules to block suspicious packet patterns that could trigger the vulnerability. The configuration change of disabling session-close logging for specific policies may provide a temporary workaround while awaiting official patches. Additionally, monitoring systems should be enhanced to detect unusual patterns of flow daemon crashes or high session creation rates that could indicate exploitation attempts. This vulnerability highlights the importance of proper input validation and race condition handling in network infrastructure software, particularly in systems that process high volumes of concurrent connections and must maintain availability under various traffic conditions.