CVE-2022-22185 in Junos OS
Summary
by MITRE • 04/14/2022
A vulnerability in Juniper Networks Junos OS on SRX Series, allows a network-based unauthenticated attacker to cause a Denial of Service (DoS) by sending a specific fragmented packet to the device, resulting in a flowd process crash, which is responsible for packet forwarding. Continued receipt and processing of this specific packet will create a sustained DoS condition. This issue only affects SRX Series when 'preserve-incoming-fragment-size' feature is enabled. This issue affects Juniper Networks Junos OS on SRX Series: 18.3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R3-S4; 19.3 versions prior to 19.3R3-S4; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2-S1, 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS prior to 17.3R1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/20/2022
This vulnerability represents a critical denial of service flaw within Juniper Networks SRX Series firewalls running specific Junos OS versions. The issue manifests when an unauthenticated attacker sends specially crafted fragmented packets to the device, specifically targeting the flowd process responsible for packet forwarding operations. The vulnerability is particularly significant because it allows attackers to trigger a process crash that can be sustained through continued packet delivery, effectively rendering the device non-functional and disrupting network connectivity. This represents a classic remote code execution vector that bypasses authentication requirements, making it particularly dangerous in networked environments where such devices serve as critical security infrastructure.
The technical exploitation of this vulnerability is directly tied to the 'preserve-incoming-fragment-size' feature configuration, which must be explicitly enabled for the attack to succeed. When this feature is active, the device's flowd process becomes vulnerable to malformed fragmented packets that cause memory corruption or improper handling of packet fragments, ultimately leading to process termination. The vulnerability affects multiple Junos OS version streams including 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3, 20.4, 21.1, and 21.2, with specific patch levels required for remediation. This widespread impact across multiple version lines indicates a fundamental flaw in how the flowd process handles fragmented packet processing, particularly when dealing with the specific configuration parameter that preserves incoming fragment sizes.
From an operational perspective, this vulnerability presents a severe threat to network availability and security posture. Network administrators face the challenge of maintaining device uptime while implementing patches, as the sustained denial of service condition can persist as long as the attacker continues sending malicious packets. The attack vector requires no authentication credentials, making it accessible to any network entity capable of reaching the affected device, which could include external attackers or compromised internal systems. This vulnerability directly impacts the availability component of the CIA triad and can have cascading effects throughout network infrastructure, particularly in environments where SRX Series devices serve as primary network gateways or security boundaries.
The mitigation strategy involves immediate implementation of vendor-provided patches for all affected Junos OS versions, with particular attention to the specific version requirements mentioned in the advisory. Organizations should also consider disabling the 'preserve-incoming-fragment-size' feature if it is not essential for their network operations, as this provides an alternative defensive measure. Network segmentation and access controls should be reviewed to limit potential attack surfaces, while monitoring systems should be enhanced to detect unusual packet patterns that might indicate exploitation attempts. This vulnerability aligns with CWE-122 (Heap Overflow) and CWE-125 (Out-of-bounds Read) categories, and maps to ATT&CK technique T1499.004 (Endpoint Denial of Service) within the adversary behavior framework. The sustained nature of the denial of service condition also relates to ATT&CK technique T1486 (Data Encrypted for Impact) when considering potential escalation paths, though the primary impact remains availability disruption rather than data compromise.