CVE-2024-21602 in Junos OS Evolved
Summary
by MITRE • 01/12/2024
A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS Evolved on ACX7024, ACX7100-32C and ACX7100-48L allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).
If a specific IPv4 UDP packet is received and sent to the Routing Engine (RE) packetio crashes and restarts which causes a momentary traffic interruption. Continued receipt of such packets will lead to a sustained DoS.
This issue does not happen with IPv6 packets.
This issue affects Juniper Networks Junos OS Evolved on ACX7024, ACX7100-32C and ACX7100-48L:
* 21.4-EVO versions earlier than 21.4R3-S6-EVO; * 22.1-EVO versions earlier than 22.1R3-S5-EVO; * 22.2-EVO versions earlier than 22.2R2-S1-EVO, 22.2R3-EVO; * 22.3-EVO versions earlier than 22.3R2-EVO.
This issue does not affect Juniper Networks Junos OS Evolved versions earlier than 21.4R1-EVO.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/12/2024
This vulnerability represents a critical null pointer dereference flaw in Juniper Networks Junos OS Evolved affecting specific hardware platforms including ACX7024, ACX7100-32C, and ACX7100-48L devices. The issue manifests when specific IPv4 UDP packets are processed by the Routing Engine's packet input/output subsystem, causing the packetio process to crash and restart. This fundamental software defect operates at the kernel level within the network processing stack, creating a persistent denial of service condition that can be exploited by unauthenticated attackers over the network. The vulnerability demonstrates characteristics consistent with CWE-476, which specifically addresses null pointer dereference conditions that can lead to system instability and service disruption.
The technical implementation of this flaw occurs within the packet processing pipeline where IPv4 UDP packets containing specific payload patterns trigger a null pointer access in the routing engine's packet input module. When such packets are received, the system attempts to dereference a null pointer during packet processing, resulting in an immediate crash of the packetio service. This crash necessitates automatic restart of the affected process, creating a brief but disruptive traffic interruption. The vulnerability is specifically limited to IPv4 UDP traffic, as IPv6 packets are processed through different code paths that do not exhibit this behavior, indicating a targeted code path issue rather than a broader architectural flaw.
The operational impact of this vulnerability extends beyond simple service disruption to create sustained denial of service conditions that can severely impact network availability and reliability. Network administrators face the challenge of maintaining service continuity when attackers can repeatedly send malformed packets to trigger the crash cycle, leading to intermittent network outages that can persist until the vulnerable devices are patched or the attack traffic is filtered. The momentary traffic interruption mentioned in the description can compound into significant service degradation when sustained attacks occur, particularly in high-availability environments where network uptime is critical for business operations.
Mitigation strategies for this vulnerability should focus on immediate patch deployment as provided by Juniper Networks, which addresses the root cause by implementing proper null pointer validation in the packet processing code. Network segmentation and access control measures can provide temporary protection by limiting exposure to untrusted networks, while ingress filtering can be implemented to drop suspicious IPv4 UDP traffic patterns. The ATT&CK framework's T1498 technique for Network Denial of Service is directly applicable to this vulnerability, as it represents a specific method of achieving service disruption through malformed packet injection. Organizations should also implement monitoring solutions to detect anomalous packet patterns and establish incident response procedures to handle potential exploitation attempts, as the vulnerability's characteristics make it suitable for automated attack tooling.