CVE-2023-44197 in Junos OSinfo

Summary

by MITRE • 10/25/2023

An Out-of-Bounds Write vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).

On all Junos OS and Junos OS Evolved devices an rpd crash and restart can occur while processing BGP route updates received over an established BGP session. This specific issue is observed for BGP routes learned via a peer which is configured with a BGP import policy that has hundreds of terms matching IPv4 and/or IPv6 prefixes.

This issue affects Juniper Networks Junos OS:



* All versions prior to 20.4R3-S8; * 21.1 version 21.1R1 and later versions; * 21.2 versions prior to 21.2R3-S2; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R2-S1, 21.4R3-S5.




This issue affects Juniper Networks Junos OS Evolved:



* All versions prior to 20.4R3-S8-EVO; * 21.1-EVO version 21.1R1-EVO and later versions; * 21.2-EVO versions prior to 21.2R3-S2-EVO; * 21.3-EVO version 21.3R1-EVO and later versions; * 21.4-EVO versions prior to 21.4R2-S1-EVO, 21.4R3-S5-EVO.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 10/25/2023

The vulnerability identified as CVE-2023-44197 represents a critical out-of-bounds write flaw within the Routing Protocol Daemon (rpd) component of Juniper Networks Junos OS and Junos OS Evolved platforms. This issue manifests as a denial of service condition that can be triggered by unauthenticated network-based attackers who exploit the daemon's processing of BGP route updates. The flaw specifically occurs when the rpd component handles BGP routes learned from peers configured with import policies containing hundreds of terms that match IPv4 and/or IPv6 prefixes. The vulnerability operates at the boundary between legitimate network protocol handling and memory corruption, creating a scenario where normal routing operations can lead to system instability.

The technical exploitation of this vulnerability relies on the rpd daemon's insufficient bounds checking when processing complex BGP import policies. When a BGP peer presents route updates containing numerous policy terms, the daemon's memory allocation and data handling mechanisms fail to properly validate the boundaries of array operations, leading to unauthorized memory writes beyond allocated buffers. This type of flaw falls under the CWE-787 category of out-of-bounds write vulnerabilities, which are particularly dangerous as they can result in system crashes, restarts, and potentially more severe consequences depending on the execution context. The vulnerability is particularly concerning because it requires no authentication to exploit, making it accessible to any network entity capable of establishing a BGP session with the affected device.

The operational impact of this vulnerability extends beyond simple service disruption to potentially compromising network stability and availability. When the rpd daemon crashes and restarts, it causes temporary loss of routing functionality for the affected device, which can lead to routing black holes, path instability, and broader network disruption. This is especially problematic in production environments where routing stability is critical for maintaining network connectivity and service availability. The vulnerability affects multiple version branches of both Junos OS and Junos OS Evolved, indicating a widespread exposure across the Juniper product line. Network administrators must consider that this vulnerability can be exploited as part of broader attack campaigns targeting network infrastructure, potentially leading to cascading failures in interconnected routing domains.

Mitigation strategies for CVE-2023-44197 primarily involve implementing software updates and applying the vendor-provided security patches. Juniper has released fixed versions for all affected software releases, and organizations should prioritize upgrading to the patched versions as outlined in the vulnerability timeline. Network segmentation and access control measures can provide temporary protection by limiting BGP peer relationships to trusted entities and implementing rate limiting on BGP updates. The ATT&CK framework categorizes this vulnerability under the T1499.004 technique for network denial of service, highlighting the importance of monitoring for unusual BGP session behavior and implementing anomaly detection systems. Additionally, organizations should consider implementing BGP import policy optimization to reduce the number of terms in complex policies, thereby minimizing the attack surface for this specific vulnerability while maintaining network functionality.

Reservation

09/26/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00515

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!