Vulnerabilities

An Incorrect Calculation of Buffer Size vulnerability in Juniper Networks Junos OS SRX 5000 Series devices using SPC2 line cards while ALGs are enabled allows an attacker sending specific crafted packets to cause a transit traffic Denial of Service (DoS).<br /> <br /> Continued receipt and processing of these specific packets will sustain the Denial of Service condition.<br /> <br /> This issue affects:<br /> Juniper Networks Junos OS SRX 5000 Series with SPC2 with ALGs enabled.<br /> * All versions earlier than 21.2R3-S7;<br /> * 21.4 versions earlier than 21.4R3-S6;<br /> * 22.1 versions earlier than 22.1R3-S5;<br /> * 22.2 versions earlier than 22.2R3-S3;<br /> * 22.3 versions earlier than 22.3R3-S2;<br /> * 22.4 versions earlier than 22.4R3;<br /> * 23.2 versions earlier than 23.2R2.

An Improper Check for Unusual or Exceptional Conditions vulnerability in telemetry processing of Juniper Networks Junos OS and Junos OS Evolved allows a network-based authenticated attacker to cause the forwarding information base telemetry daemon (fibtd) to crash, leading to a limited Denial of Service. <br /> <br /> This issue affects Juniper Networks<br /> <br /> Junos OS:<br /> * from 22.1 before 22.1R1-S2, 22.1R2.<br /> <br /> <br /> Junos OS Evolved: <br /> * from 22.1 before 22.1R1-S2-EVO, 22.1R2-EVO.

An Incorrect Behavior Order in the routing engine (RE) of Juniper Networks Junos OS on EX4300 Series allows traffic intended to the device to reach the RE instead of being discarded when the discard term is set in loopback (lo0) interface. The intended function is that the lo0 firewall filter takes precedence over the revenue interface firewall filter. <br /> <br /> This issue affects only IPv6 firewall filter.<br /> <br /> This issue only affects the EX4300 switch. No other products or platforms are affected by this vulnerability. <br /> <br /> This issue affects Juniper Networks Junos OS:<br /> <br /> * All versions before 20.4R3-S10,<br /> * from 21.2 before 21.2R3-S7,<br /> * from 21.4 before 21.4R3-S6.

A Cleartext Storage in a File on Disk vulnerability in Juniper Networks Junos OS Evolved ACX Series devices using the Paragon Active Assurance Test Agent software installed on network devices allows a local, authenticated attacker with high privileges to read all other users login credentials.<br /> <br /> This issue affects only Juniper Networks Junos OS Evolved ACX Series devices using the Paragon Active Assurance Test Agent software installed on these devices from 23.1R1-EVO through 23.2R2-EVO. <br /> <br /> This issue does not affect releases before 23.1R1-EVO.

The Use of a Hard-coded Cryptographic Key vulnerability in Juniper Networks Juniper Cloud Native Router (JCNR) and containerized routing Protocol Deamon (cRPD) products allows an attacker to perform Person-in-the-Middle (PitM) attacks which results in complete compromise of the container. <br /> <br /> Due to hardcoded SSH host keys being present on the container, a PitM attacker can intercept SSH traffic without being detected. <br /> <br /> This issue affects Juniper Networks JCNR:<br /> * All versions before 23.4.<br /> <br /> <br /> This issue affects Juniper Networks cRPD:<br /> * All versions before 23.4R1.

An Incorrect Default Permissions vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to access confidential information on the system.<br /> <br /> On all Junos OS and Junos OS Evolved platforms, when NETCONF traceoptions are configured, and a super-user performs specific actions via NETCONF, then a low-privileged user can access sensitive information compromising the confidentiality of the system.<br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S7, <br /> <br /> * from 21.4 before 21.4R3-S5, <br /> <br /> * from 22.1 before 22.1R3-S5, <br /> <br /> * from 22.2 before 22.2R3-S3, <br /> <br /> * from 22.3 before 22.3R3-S2, <br /> <br /> * from 22.4 before 22.4R3, <br /> <br /> * from 23.2 before 23.2R1-S2.<br /> <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * all versions before 21.2R3-S7-EVO, <br /> <br /> * from 21.3 before 21.3R3-S5-EVO, <br /> <br /> * from 21.4 before 21.4R3-S5-EVO, <br /> <br /> * from 22.1 before 22.1R3-S5-EVO, <br /> <br /> * from 22.2 before 22.2R3-S3-EVO, <br /> <br /> * from 22.3 before 22.3R3-S2-EVO,<br /> <br /> * from 22.4 before 22.4R3-EVO, <br /> <br /> * from 23.2 before 23.2R1-S2.

An Access of Memory Location After End of Buffer vulnerability in the Layer-2 Control Protocols Daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause Denial of Service (DoS).<br /> <br /> On all Junos OS and Junos OS Evolved platforms, when LLDP is enabled on a specific interface, and a malformed LLDP packet is received, l2cpd crashes and restarts. The impact of the l2cpd crash is reinitialization of STP protocols (RSTP, MSTP or VSTP), and MVRP and ERP. Also, if any services depend on LLDP state (like PoE or VoIP device recognition), then these will also be affected.<br /> <br /> This issue affects:<br /> <br /> Junos OS:<br /> * from 21.4 before 21.4R3-S4, <br /> <br /> * from 22.1 before 22.1R3-S4, <br /> <br /> * from 22.2 before 22.2R3-S2, <br /> <br /> * from 22.3 before 22.3R2-S2, 22.3R3-S1, <br /> <br /> * from 22.4 before 22.4R3, <br /> <br /> * from 23.2 before 23.2R2.<br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> * from 21.4-EVO before 21.4R3-S5-EVO, <br /> <br /> * from 22.1-EVO before 22.1R3-S4-EVO, <br /> <br /> * from 22.2-EVO before 22.2R3-S2-EVO, <br /> <br /> * from 22.3-EVO before 22.3R2-S2-EVO, 22.3R3-S1-EVO, <br /> <br /> * from 22.4-EVO before 22.4R3-EVO, <br /> <br /> * from 23.2-EVO before 23.2R2-EVO.<br /> <br /> <br /> <br /> <br /> This issue does not affect:<br /> * Junos OS versions prior to 21.4R1;<br /> <br /> * Junos OS Evolved versions prior to 21.4R1-EVO.

A Stack-based Buffer Overflow vulnerability in the Routing Protocol Daemon (RPD) component of Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause an rpd crash, leading to Denial of Service (DoS).<br /> <br /> On all Junos OS and Junos OS Evolved platforms, when EVPN is configured, and a specific EVPN type-5 route is received via BGP, rpd crashes and restarts. Continuous receipt of this specific route will lead to a sustained Denial of Service (DoS) condition.<br /> <br /> This issue affects:<br /> Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S7,<br /> <br /> * from 21.4 before 21.4R3-S5,<br /> <br /> * from 22.1 before 22.1R3-S4,<br /> <br /> * from 22.2 before 22.2R3-S2,<br /> <br /> * from 22.3 before 22.3R3-S1,<br /> <br /> * from 22.4 before 22.4R3,<br /> <br /> * from 23.2 before 23.2R2.<br /> <br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * all versions before 21.4R3-S5-EVO,<br /> <br /> * from 22.1-EVO before 22.1R3-S4-EVO,<br /> <br /> * from 22.2-EVO before 22.2R3-S2-EVO,<br /> <br /> * from 22.3-EVO before 22.3R3-S1-EVO,<br /> <br /> * from 22.4-EVO before 22.4R3-EVO,<br /> <br /> * from 23.2-EVO before 23.2R2-EVO.

An Improper Validation of Specified Type of Input vulnerability in Routing Protocol Daemon (RPD) of Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause Denial of Service (DoS).<br /> <br /> If a BGP update is received over an established BGP session which contains a tunnel encapsulation attribute with a specifically malformed TLV, rpd will crash and restart.<br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S7, <br /> <br /> * from 21.3 before 21.3R3-S5, <br /> <br /> * from 21.4 before 21.4R3-S5, <br /> <br /> * from 22.1 before 22.1R3-S5, <br /> <br /> * from 22.2 before 22.2R3-S3, <br /> <br /> * from 22.3 before 22.3R3-S2, <br /> <br /> * from 22.4 before 22.4R3, <br /> <br /> * from 23.2 before 23.2R1-S2, 23.2R2.<br /> <br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * all versions before 21.2R3-S7-EVO, <br /> <br /> * from 21.3-EVO before 21.3R3-S5-EVO, <br /> <br /> * from 21.4-EVO before 21.4R3-S5-EVO, <br /> * from 22.2-EVO before 22.2R3-S3-EVO, <br /> <br /> * from 22.3-EVO before 22.3R3-S2-EVO, <br /> <br /> * from 22.4-EVO before 22.4R3-EVO, <br /> <br /> * from 23.2-EVO before 23.2R1-S2-EVO, 23.2R2-EVO.<br /> <br /> <br /> <br /> This is a related but separate issue than the one described in JSA75739

An Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Juniper Networks Paragon Active Assurance Control Center allows a network-adjacent attacker with root access to a Test Agent Appliance the ability to access sensitive information about downstream devices.<br /> <br /> The "netrounds-probe-login" daemon (also called probe_serviced) exposes functions where the Test Agent (TA) Appliance pushes interface state/config, unregister itself, etc. The remote service accidentally exposes an internal database object that can be used for direct database access on the Paragon Active Assurance Control Center.<br /> <br /> <br /> <br /> <br /> This issue affects Paragon Active Assurance: 4.1.0, 4.2.0.

An Improper Validation of Syntactic Correctness of Input vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based, unauthenticated attacker to cause a Denial of Service (DoS).<br /> <br /> If a BGP update is received over an established BGP session which contains a tunnel encapsulation attribute with a specifically malformed TLV, rpd will crash and restart.<br /> <br /> This issue affects Juniper Networks<br /> Junos OS:<br /> * 20.4 versions 20.4R1 and later versions earlier than 20.4R3-S9;<br /> * 21.2 versions earlier than 21.2R3-S7;<br /> * 21.3 versions earlier than 21.3R3-S5;<br /> * 21.4 versions earlier than 21.4R3-S5;<br /> * 22.1 versions earlier than 22.1R3-S4;<br /> * 22.2 versions earlier than 22.2R3-S3;<br /> * 22.3 versions earlier than 22.3R3-S1;<br /> * 22.4 versions earlier than 22.4R3;<br /> * 23.2 versions earlier than 23.2R1-S2, 23.2R2;<br /> <br /> <br /> <br /> Junos OS Evolved:<br /> * 20.4-EVO versions 20.4R1-EVO and later versions earlier than 20.4R3-S9-EVO;<br /> * 21.2-EVO versions earlier than 21.2R3-S7-EVO;<br /> * 21.3-EVO versions earlier than 21.3R3-S5-EVO;<br /> * 21.4-EVO versions earlier than 21.4R3-S5-EVO;<br /> * 22.1-EVO versions earlier than 22.1R3-S4-EVO;<br /> * 22.2-EVO versions earlier than 22.2R3-S3-EVO;<br /> * 22.3-EVO versions earlier than 22.3R3-S1-EVO;<br /> * 22.4-EVO versions earlier than 22.4R3-EVO;<br /> * 23.2-EVO versions earlier than 23.2R1-S2-EVO, 23.2R2-EVO;<br /> <br /> <br /> <br /> This issue does not affect Juniper Networks<br /> * Junos OS versions earlier than 20.4R1;<br /> * Junos OS Evolved versions earlier than 20.4R1-EVO.<br /> <br /> <br /> <br /> This is a related but separate issue than the one described in JSA79095.

An Exposure of Resource to Wrong Sphere vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX 300 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).<br /> <br /> <br /> <br /> Specific valid link-local traffic is not blocked on ports in STP blocked state but is instead sent to the control plane of the device. This leads to excessive resource consumption and in turn severe impact on all control and management protocols of the device.<br /> <br /> <br /> <br /> This issue affects Juniper Networks Junos OS:<br /> * 21.2 version 21.2R3-S3 and later versions earlier than 21.2R3-S6;<br /> * 22.1 version 22.1R3 and later versions earlier than 22.1R3-S4;<br /> * 22.2 version <br /> <br /> 22.2R2<br /> <br /> and later versions earlier than 22.2R3-S2;<br /> * 22.3 version <br /> <br /> 22.3R2 <br /> <br /> and later versions earlier than 22.3R3-S1;<br /> <br /> * 22.4 versions earlier than 22.4R2-S2, 22.4R3;<br /> * 23.2 versions earlier than 23.2R1-S1, 23.2R2.<br /> <br /> <br /> <br /> <br /> This issue does not affect Juniper Networks Junos OS 21.4R1 and later versions of 21.4.