CVE-2022-22167 in Junos OS
Summary
by MITRE • 01/19/2022
A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. While JDPI correctly classifies out-of-state asymmetric TCP flows as the dynamic-application UNKNOWN, this classification is not provided to the policy module properly and hence traffic continues to use the pre-id-default-policy, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R2-S2, 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/20/2022
This vulnerability represents a critical traffic classification flaw in Juniper Networks Junos OS running on SRX Series Services Gateways that undermines the integrity of Deep Packet Inspection mechanisms. The issue stems from a misconfiguration in how the system handles asymmetric TCP flows when the 'no-syn-check' feature is enabled, creating a pathway for attackers to bypass security policies that should otherwise block unauthorized network access. The vulnerability specifically affects devices where the command 'set security flow tcp-session no-syn-check' is implemented, which disables the traditional TCP SYN checking mechanism that normally validates connection states. When this configuration is active, the Deep Packet Inspection system correctly identifies out-of-state asymmetric TCP flows as dynamic-application UNKNOWN, but fails to properly communicate this classification to the policy enforcement module.
The technical flaw manifests in the communication breakdown between the JDPI classification engine and the policy decision module within the Junos OS architecture. While the system accurately detects that certain TCP flows are asymmetric and outside normal connection patterns, the classification information does not propagate correctly to the policy engine. This results in the firewall continuing to apply the pre-id-default-policy rather than the more restrictive security rules that should govern such traffic. The policy module defaults to a permissive state because it never receives the proper classification signal that would trigger the appropriate security controls. This represents a fundamental failure in the information flow architecture where classification data intended to inform policy decisions is not properly transmitted through the system's security layers.
The operational impact of this vulnerability is severe as it allows attackers to exploit asymmetric TCP flow patterns to bypass firewall rules that should prevent unauthorized access to network resources. When 'no-syn-check' is enabled, attackers can craft traffic that appears legitimate to the Deep Packet Inspection system but is not properly classified for policy enforcement, enabling unauthorized network access. This creates a persistent backdoor that remains active as long as the vulnerable configuration exists, potentially allowing attackers to traverse network boundaries, access sensitive data, or establish further footholds within the network infrastructure. The vulnerability affects multiple Junos OS versions across several release branches, making it widespread and particularly concerning for organizations with legacy systems.
Organizations should immediately implement mitigations by either disabling the 'no-syn-check' configuration on affected devices or upgrading to the patched versions specified in the CVE advisory. The recommended remediation approach involves either removing the vulnerable configuration or applying the appropriate software patches that address the classification communication failure between JDPI and the policy engine. Security teams should conduct comprehensive audits of their SRX Series deployments to identify all devices with the 'no-syn-check' setting enabled and prioritize remediation efforts accordingly. This vulnerability aligns with CWE-295 (Improper Certificate Validation) and ATT&CK technique T1071.004 (Application Layer Protocol: DNS) in its exploitation patterns, as attackers can leverage asymmetric TCP flows to bypass network controls that should prevent unauthorized access to resources. The issue also demonstrates characteristics consistent with ATT&CK technique T1566 (Phishing) where attackers might use this vulnerability to establish persistent access after initial compromise, as the misconfiguration creates a long-term security weakness that can be exploited repeatedly.