Vulnerabilities

An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complete Denial-of-Service (DoS).<br /> <br /> If an affected device receives a specifically malformed first ISAKMP packet from the initiator, the kmd/iked process will crash and restart, which momentarily prevents new security associations (SAs) for from being established. Repeated exploitation of this vulnerability causes a complete inability to establish new VPN connections.<br /> <br /> This issue affects Junos OS on <br /> <br /> SRX Series and MX Series:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S9,<br /> * 23.2 version before 23.2R2-S6,<br /> * 23.4 version before 23.4R2-S7,<br /> * 24.2 versions before 24.2R2-S4,<br /> * 24.4 versions before 24.4R2-S3,<br /> * 25.2 versions before 25.2R1-S2, 25.2R2.

An Improper Following of a Certificate&amp;#39;s Chain of Trust vulnerability in J-Web of Juniper Networks Junos OS on SRX Series allows a PITM to intercept the communication of the device and get access to confidential information and potentially modify it.<br /> <br /> When an SRX device is provisioned to connect to Security Director (SD) cloud, it doesn&amp;#39;t perform sufficient verification of the received server certificate. This allows a PITM to intercept the communication between the SRX and SD cloud and access credentials and other sensitive information.<br /> <br /> This issue affects Junos OS:<br /> * all versions before 22.4R3-S9,<br /> * 23.2 versions before 23.2R2-S6,<br /> * 23.4 versions before 23.4R2-S7,<br /> * 24.2 versions before 24.2R2-S3,<br /> * 24.4 versions before 24.4R2-S2,<br /> * 25.2 versions before 25.2R1-S2, 25.2R2.

A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a memory leak ultimately leading to a Denial of Service (DoS).<br /> <br /> <br /> <br /> In an EVPN-MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a logic issue in the l2ald memory management, memory allocated for these routes is not released when there is churn for these routes. As a result, memory leaks in the l2ald process which will ultimately lead to a crash and restart of l2ald.<br /> <br /> Use the following command to monitor the memory consumption by l2ald:<br /> <br /> user@device&gt; show system process extensive | match "PID|l2ald" <br /> <br /> <br /> <br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S5,<br /> * 23.2 versions before 23.2R2-S3,<br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2;<br /> <br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> <br /> * all versions before 22.4R3-S5-EVO,<br /> * 23.2 versions before 23.2R2-S3-EVO,<br /> * 23.4 versions before 23.4R2-S4-EVO,<br /> * 24.2 versions before 24.2R2-EVO.

An Incorrect Synchronization vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker with low privileges to cause a complete Denial-of-Service (DoS) of the management plane.<br /> <br /> When NETCONF sessions are quickly established and disconnected, a locking issue causes mgd processes to hang in an unusable state. When the maximum number of mgd processes has been reached, no new logins are possible. This leads to the inability to manage the device and requires a power-cycle to recover.<br /> <br /> This issue can be monitored by checking for mgd processes in lockf state in the output of &amp;#39;show system processes extensive&amp;#39;:<br /> <br /> user@host&gt; show system processes extensive | match mgd<br /> root       20   0 501M 4640K lockf   1 0:01 0.00% mgd<br /> <br /> <br /> If the system still can be accessed (either via the CLI or as root, which might still be possible as last resort as this won&amp;#39;t invoke mgd), mgd processes in this state can be killed with &amp;#39;request system process terminate &amp;#39; from the CLI or with &amp;#39;kill -9 &amp;#39; from the shell. <br /> <br /> <br /> <br /> <br /> This issue affects:<br /> <br /> Junos OS:<br /> <br /> * 23.4 versions before 23.4R2-S4,<br /> * 24.2 versions before 24.2R2-S1,<br /> * 24.4 versions before 24.4R1-S3, 24.4R2;<br /> <br /> <br /> <br /> <br /> This issue does not affect Junos OS versions before 23.4R1;<br /> <br /> <br /> <br /> Junos OS Evolved:<br /> <br /> * 23.4 versions before 23.4R2-S5-EVO,<br /> * 24.2 versions before 24.2R2-S1-EVO,<br /> * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO.<br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue does not affect Junos OS Evolved versions before 23.4R1-EVO;

A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device.<br /> <br /> The password management menu enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option "Show password requirements". Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access.<br /> <br /> <br /> <br /> This issue affects CTP OS versions 9.2R1 and 9.2R2.

An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks.<br /> <br /> When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked.<br /> <br /> This issue affects Junos OS on EX Series and QFX Series:<br /> * 23.4 version 23.4R2-S6,<br /> * 24.2 version 24.2R2-S3.<br /> <br /> <br /> No other Junos OS versions are affected.

An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device.<br /> <br /> On MX platforms with <br /> <br /> MPC10, MPC11, LC4800 or LC9600<br /> <br /> line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don&amp;#39;t get executed when lo0.n is in the global VRF / default routing-instance.<br /> <br /> An affected configuration would be:<br /> <br /> user@host# show configuration interfaces lo0 | display set<br /> set interfaces lo0 unit 1 family inet filter input <br /> <br /> where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it&amp;#39;s used in the default RI.<br /> <br /> The issue can be observed with the CLI command:<br /> <br /> user@device&gt; show firewall counter filter <br /> <br /> not showing any matches.<br /> <br /> This issue affects Junos OS on MX Series:<br /> <br /> * all versions before 23.2R2-S6,<br /> * 23.4 versions before 23.4R2-S7,<br /> * 24.2 versions before 24.2R2,<br /> * 24.4 versions before 24.4R2.

A Buffer Copy without Checking Size of Input (&amp;#39;Classic Buffer Overflow&amp;#39;) vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition.<br /> <br /> This issue affects Junos OS Evolved PTX Series:<br /> <br /> <br /> <br /> * All versions before 22.4R3-S8-EVO,<br /> * from 23.2 before 23.2R2-S5-EVO,<br /> * from 23.4 before 23.4R2-EVO,<br /> * from 24.2 before 24.2R2-EVO,<br /> * from 24.4 before 24.4R2-EVO.<br /> <br /> <br /> <br /> <br /> This issue affects Junos OS Evolved on QFX5000 Series:<br /> <br /> <br /> <br /> * 22.2-EVO version before 22.2R3-S7-EVO,<br /> * 22.4-EVO version before 22.4R3-S7-EVO,<br /> * 23.2-EVO versions before 23.2R2-S4-EVO,<br /> * 23.4-EVO versions before 23.4R2-S5-EVO, <br /> * 24.2-EVO versions before 24.2R2-S1-EVO,<br /> * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO.<br /> <br /> <br /> This issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO.

An Improper Neutralization of Input During Web Page Generation (&amp;#39;Cross-site Scripting&amp;#39;) vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the <br /> <br /> list filter field that, when visited by another user, enables the attacker to execute commands with the target&amp;#39;s permissions, including an administrator.<br /> <br /> This issue affects all versions of Junos Space before 24.1R5 Patch V3.

A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root.<br /> <br /> The CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system.<br /> <br /> This issue affects all JSI vLWC versions before 3.0.94.

A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.<br /> <br /> When after a user has performed a specific &amp;#39;file link ...&amp;#39; CLI operation, another user commits (unrelated configuration changes), the first user can login as root.<br /> <br /> This issue affects Junos OS:<br /> * all versions before 23.2R2-S7,<br /> * 23.4 versions before 23.4R2-S6,<br /> * 24.2 versions before 24.2R2-S3,<br /> * 24.4 versions before 24.4R2-S2,<br /> * 25.2 versions before 25.2R2.<br /> <br /> <br /> This issue does not affect versions 25.4R1 or later.

A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM <br /> <br /> attacker to impersonate managed devices.<br /> <br /> Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials.<br /> <br /> This issue affects all versions of Apstra before 6.1.1.