CVE-2023-22392 in Junos OSinfo

Summary

by MITRE • 10/25/2023

A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).

PTX3000, PTX5000, QFX10000, PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs do not support certain flow-routes. Once a flow-route is received over an established BGP session and an attempt is made to install the resulting filter into the PFE, FPC heap memory is leaked. The FPC heap memory can be monitored using the CLI command "show chassis fpc".

The following syslog messages can be observed if the respective filter derived from a flow-route cannot be installed.

expr_dfw_sfm_range_add:661 SFM packet-length Unable to get a sfm entry for updating the hw expr_dfw_hw_sfm_add:750 Unable to add the filter secondarymatch to the hardware expr_dfw_base_hw_add:52 Failed to add h/w sfm data. expr_dfw_base_hw_create:114 Failed to add h/w data. expr_dfw_base_pfe_inst_create:241 Failed to create base inst for sfilter 0 on PFE 0 for __flowspec_default_inet__ expr_dfw_flt_inst_change:1368 Failed to create __flowspec_default_inet__ on PFE 0 expr_dfw_hw_pgm_fnum:465 dfw_pfe_inst_old not found for pfe_index 0! expr_dfw_bp_pgm_flt_num:548 Failed to pgm bind-point in hw: generic failure expr_dfw_bp_topo_handler:1102 Failed to program fnum. expr_dfw_entry_process_change:679 Failed to change instance for filter __flowspec_default_inet__. This issue affects Juniper Networks Junos OS:

on PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs:



* All versions prior to 20.4R3-S5; * 21.1 versions prior to 21.1R3-S4; * 21.2 versions prior to 21.2R3-S2; * 21.3 versions prior to 21.3R3; * 21.4 versions prior to 21.4R2-S2, 21.4R3; * 22.1 versions prior to 22.1R1-S2, 22.1R2.




on PTX3000, PTX5000, QFX10000:



* All versions prior to 20.4R3-S8; * 21.1 version 21.1R1 and later versions; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3 * 22.2 versions prior to 22.2R3-S1 * 22.3 versions prior to 22.3R2-S2, 22.3R3 * 22.4 versions prior to 22.4R2.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 10/25/2023

The vulnerability identified as CVE-2023-22392 represents a critical memory management flaw within the Packet Forwarding Engine of Juniper Networks Junos OS operating systems. This issue manifests as a missing release of memory after effective lifetime, which falls under the CWE-401 category of "Improper Release of Memory before Removal from Heap." The vulnerability specifically impacts certain chassis models including PTX3000, PTX5000, QFX10000, and various PTX series devices equipped with LC110x FPCs.

The technical exploitation of this vulnerability occurs through BGP flow-routes that are processed by the Packet Forwarding Engine. When an adjacent, unauthenticated attacker sends flow-route information over an established BGP session, the system attempts to install the resulting filter into the PFE hardware. During this process, heap memory is allocated but not properly released, leading to a gradual memory leak within the FPC heap. This memory consumption pattern is particularly concerning because it can occur repeatedly with each flow-route processing attempt, potentially leading to system instability and service disruption.

The operational impact of this vulnerability extends beyond simple memory consumption as it directly enables a denial of service condition. The memory leak accumulates over time, eventually depleting available heap resources and causing the affected FPC components to become unresponsive. Network administrators can monitor this degradation using the CLI command "show chassis fpc" which provides visibility into the heap memory status of the FPC modules. The syslog messages generated during the failed filter installation process provide clear diagnostic information including specific error codes like "expr_dfw_sfm_range_add" and "expr_dfw_base_hw_add" that indicate hardware filter programming failures.

From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1499.004 for "Endpoint Denial of Service" and represents a significant threat vector for network disruption attacks. The fact that no authentication is required for exploitation makes this particularly dangerous in network environments where adjacent attackers may have access to BGP sessions. The vulnerability affects multiple Junos OS versions across different release branches, with specific patch levels identified for remediation across PTX and QFX product lines. Organizations must implement immediate mitigation strategies including applying the appropriate software patches, monitoring for memory consumption anomalies, and potentially implementing BGP route filtering to prevent the acceptance of problematic flow-routes until full remediation is achieved.

The root cause of this vulnerability stems from inadequate memory management practices within the flow-route processing pipeline of the PFE. When the system attempts to install filters derived from BGP flow-routes, the memory allocation for hardware filter programming does not properly account for all potential failure scenarios. This results in memory blocks that remain allocated even when the processing attempt fails, creating a persistent leak that can accumulate over time and eventually exhaust available resources. The vulnerability is particularly insidious because it does not immediately cause system failure but rather degrades performance gradually until service disruption occurs, making detection and response more challenging for network operators.

Reservation

12/27/2022

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00282

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!