CVE-2023-44192 in Junos OSinfo

Summary

by MITRE • 10/25/2023

An Improper Input Validation vulnerability in the Packet Forwarding Engine of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause memory leak, leading to Denial of Service (DoS).

On all Junos OS QFX5000 Series platforms, when pseudo-VTEP (Virtual Tunnel End Point) is configured under EVPN-VXLAN scenario, and specific DHCP packets are transmitted, DMA memory leak is observed. Continuous receipt of these specific DHCP packets will cause memory leak to reach 99% and then cause the protocols to stop working and traffic is impacted, leading to Denial of Service (DoS) condition. A manual reboot of the system recovers from the memory leak.

To confirm the memory leak, monitor for "sheaf:possible leak" and "vtep not found" messages in the logs.

This issue affects:

Juniper Networks Junos OS QFX5000 Series:



* All versions prior to 20.4R3-S6; * 21.1 versions prior to 21.1R3-S5; * 21.2 versions prior to 21.2R3-S5; * 21.3 versions prior to 21.3R3-S4; * 21.4 versions prior to 21.4R3-S3; * 22.1 versions prior to 22.1R3-S2; * 22.2 versions prior to 22.2R2-S2, 22.2R3; * 22.3 versions prior to 22.3R2-S1, 22.3R3; * 22.4 versions prior to 22.4R1-S2, 22.4R2.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/25/2023

The vulnerability described in CVE-2023-44192 represents a critical improper input validation flaw within the Packet Forwarding Engine of Juniper Networks Junos OS operating on QFX5000 Series platforms. This weakness specifically manifests when pseudo-VTEP (Virtual Tunnel End Point) configurations are active within EVPN-VXLAN environments and certain DHCP packets are processed. The flaw falls under the category of CWE-20 Improper Input Validation, which is a fundamental security weakness that occurs when applications fail to properly validate or sanitize input data before processing it. The vulnerability enables unauthenticated network-based attackers to exploit a memory management issue that results in gradual memory consumption until system resources are exhausted.

The technical implementation of this vulnerability involves a DMA (Direct Memory Access) memory leak that occurs during the processing of specific DHCP packets within the EVPN-VXLAN context. When these packets are continuously transmitted to affected systems, the memory leak progressively consumes available system memory, reaching critical levels of 99% before causing system protocols to cease functioning. This memory exhaustion directly impacts the Packet Forwarding Engine's ability to maintain normal operations, resulting in service disruption and Denial of Service conditions. The system's logging mechanism provides clear indicators of this issue through "sheaf:possible leak" and "vtep not found" messages that appear in system logs, making detection straightforward for security monitoring teams.

From an operational impact perspective, this vulnerability poses significant risk to network infrastructure reliability and availability. The Denial of Service condition affects the core forwarding capabilities of the QFX5000 Series switches, potentially disrupting large-scale data center operations that rely on EVPN-VXLAN for network virtualization. The attack vector requires no authentication credentials, making it particularly dangerous as any network-connected attacker can exploit this vulnerability without prior access. The memory leak process is gradual but persistent, meaning that even small volumes of malicious packets can accumulate over time to cause system-wide disruption. Recovery from this condition requires manual system reboot, which introduces unplanned downtime and operational disruption to network services.

The vulnerability affects multiple software versions across different release branches of Juniper Junos OS, indicating a widespread exposure that spans several major releases. Specifically, all versions prior to the listed patch releases are affected, including 20.4R3-S6, 21.1R3-S5, 21.2R3-S5, 21.3R3-S4, 21.4R3-S3, 22.1R3-S2, 22.2R2-S2, 22.2R3, 22.3R2-S1, 22.3R3, and 22.4R1-S2, 22.4R2. This extensive affected range demonstrates the persistence of the underlying memory management flaw across multiple development cycles. The vulnerability aligns with ATT&CK technique T1499.004 Network Denial of Service, where adversaries leverage system weaknesses to consume resources and render services unavailable. Organizations running these affected versions should prioritize immediate patching to remediate this vulnerability, as the memory leak can occur gradually without requiring immediate network disruption, potentially allowing attackers to maintain persistent resource exhaustion over time. The issue specifically impacts QFX5000 Series platforms, which are commonly deployed in high-performance data center environments where network availability is critical for business operations.

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!