CVE-2021-31367 in Junos OS
Summary
by MITRE • 10/19/2021
A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on PTX Series allows an adjacent attacker to cause a Denial of Service (DoS) by sending genuine BGP flowspec packets which cause an FPC heap memory leak. Once having run out of memory the FPC will crash and restart along with a core dump. Continued receipted of these packets will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS All versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R1-S4, 19.4R3-S6; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3-S1; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. Juniper Networks Junos Evolved is not affected.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 10/27/2021
The vulnerability identified as CVE-2021-31367 represents a critical memory management flaw within the Packet Forwarding Engine of Juniper Networks Junos OS operating on PTX Series devices. This issue manifests as a missing release of memory after effective lifetime, specifically within the FPC (Flexible PIC Concentrator) component that handles packet forwarding operations. The flaw occurs when legitimate BGP flowspec packets are processed by the system, triggering an unintended heap memory leak that progressively consumes available system resources. This memory leak ultimately leads to system instability and complete service disruption through forced crashes and restarts.
The technical implementation of this vulnerability stems from inadequate memory management practices within the PFE's handling of BGP flowspec traffic. When the system processes these genuine BGP packets, it fails to properly release allocated heap memory resources after their effective lifetime has concluded. This memory leak accumulates over time as the system continues to receive these packets, eventually exhausting the available heap memory space. The vulnerability is particularly dangerous because it requires only adjacent network access to exploit, making it accessible to attackers within the same broadcast domain or network segment. The flaw affects a broad range of Junos OS versions across multiple release branches, demonstrating the widespread nature of this memory management deficiency.
The operational impact of CVE-2021-31367 extends beyond simple service disruption to create sustained denial of service conditions that can severely impact network infrastructure reliability. Once memory exhaustion occurs, the affected FPC component crashes and restarts automatically, generating core dump files that further consume system resources. This restart cycle creates a continuous loop of service interruption that can persist as long as the malicious traffic continues to flow. Network administrators face the challenge of maintaining service availability while the system undergoes repeated restarts, potentially affecting routing stability and overall network performance across the affected PTX Series devices. The vulnerability essentially transforms a legitimate network function into a weapon capable of systematically depleting system resources.
Mitigation strategies for this vulnerability require immediate implementation of firmware updates to affected Junos OS versions, with the most effective solution being the application of the latest security patches released by Juniper Networks. Organizations should prioritize updating their PTX Series devices to versions that have been certified as free from this memory leak issue, particularly focusing on the specific release branches mentioned in the vulnerability description. Network segmentation and access control measures can provide temporary protection by limiting adjacent network access to devices running vulnerable software versions. Additionally, implementing traffic monitoring and anomaly detection systems can help identify the characteristic BGP flowspec packet patterns associated with this exploit, enabling proactive response measures. Security teams should also consider implementing rate limiting or packet filtering rules specifically targeting BGP flowspec traffic until full patch deployment is complete, aligning with established cybersecurity frameworks such as those referenced in CWE-401 for memory leak vulnerabilities and ATT&CK techniques related to privilege escalation through resource exhaustion attacks.