Vulnerabilities

An Improper Neutralization of Data within XPath Expressions (&amp;#39;XPath Injection&amp;#39;) vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device. <br /> <br /> While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user&amp;#39;s credentials. In the worst case, the attacker will have full control over the device.<br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * All versions before 21.2R3-S8, <br /> * from 21.4 before 21.4R3-S7,<br /> * from 22.2 before 22.2R3-S4,<br /> * from 22.3 before 22.3R3-S3,<br /> * from 22.4 before 22.4R3-S2,<br /> * from 23.2 before 23.2R2,<br /> * from 23.4 before 23.4R1-S1, 23.4R2.

An Improper Handling of Exceptional Conditions vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent downstream RSVP neighbor to cause kernel memory exhaustion, leading to a kernel crash, resulting in a Denial of Service (DoS).<br /> <br /> The kernel memory leak and eventual crash will be seen when the downstream RSVP neighbor has a persistent error which will not be corrected.<br /> <br /> System kernel memory can be monitored through the use of the &amp;#39;show system kernel memory&amp;#39; command as shown below:<br /> <br /> user@router&gt; show system kernel memory   <br /> Real memory total/reserved: 4130268/ 133344 Kbytes<br /> kmem map free: 18014398509110220 Kbytes<br /> <br /> This issue affects:<br /> Junos OS:<br /> <br /> <br /> * All versions before 20.4R3-S9,<br /> * All versions of 21.2,<br /> * from 21.4 before 21.4R3-S5,<br /> * from 22.1 before 22.1R3-S5,<br /> * from 22.2 before 22.2R3-S3,<br /> * from 22.3 before 22.3R3-S2,<br /> * from 22.4 before 22.4R3,<br /> * from 23.2 before 23.2R2;<br /> <br /> <br /> Junos OS Evolved:<br /> <br /> <br /> * All versions before 21.4R3-S5-EVO,<br /> * from 22.1-EVO before 22.1R3-S5-EVO, <br /> * from 22.2-EVO before 22.2R3-S3-EVO, <br /> * from 22.3-EVO before 22.3R3-S2-EVO, <br /> * from 22.4-EVO before 22.4R3-EVO, <br /> * from 23.2-EVO before 23.2R2-EVO.

A Stack-Based Buffer Overflow vulnerability in Juniper Networks Junos OS and Juniper Networks Junos OS Evolved may allow a local, low-privileged attacker with access to the CLI the ability to load a malicious certificate file, leading to a limited Denial of Service (DoS) or privileged code execution.<br /> <br /> By exploiting the &amp;#39;set security certificates&amp;#39; command with a crafted certificate file, a malicious attacker with access to the CLI could cause a crash of the command management daemon (mgd), limited to the local user&amp;#39;s command interpreter, or potentially trigger a stack-based buffer overflow.<br /> <br /> <br /> This issue affects:<br /> <br />  Junos OS: <br /> <br /> <br /> * All versions before 21.4R3-S7, <br /> * from 22.1 before 22.1R3-S6, <br /> * from 22.2 before 22.2R3-S4, <br /> * from 22.3 before 22.3R3-S3, <br /> * from 22.4 before 22.4R3-S2, <br /> * from 23.2 before 23.2R2, <br /> * from 23.4 before 23.4R1-S1, 23.4R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> * All versions before 21.4R3-S7-EVO, <br /> * from 22.1-EVO before 22.1R3-S6-EVO, <br /> * from 22.2-EVO before 22.2R3-S4-EVO, <br /> * from 22.3-EVO before 22.3R3-S3-EVO, <br /> * from 22.4-EVO before 22.4R3-S2-EVO, <br /> * from 23.2-EVO before 23.2R2-EVO, <br /> * from 23.4-EVO before 23.4R1-S1-EVO, 23.4R2-EVO.

An Uncontrolled Resource Consumption vulnerability in the <br /> <br /> Layer 2 Address Learning Daemon (l2ald)<br /> <br /> of Juniper Networks Junos OS Evolved allows an unauthenticated, adjacent attacker to cause a memory leak, eventually exhausting all system memory, leading to a system crash and Denial of Service (DoS).<br /> <br /> Certain MAC table updates cause a small amount of memory to leak.  Once memory utilization reaches its limit, the issue will result in a system crash and restart.<br /> <br /> To identify the issue, execute the CLI command:<br /> <br /> user@device&gt; show platform application-info allocations app l2ald-agent<br /> EVL Object Allocation Statistics:<br /> <br /> Node   Application     Context Name                               Live   Allocs   Fails     Guids<br /> re0   l2ald-agent               net::juniper::rtnh::L2Rtinfo       1069096 1069302   0         1069302<br /> re0   l2ald-agent               net::juniper::rtnh::NHOpaqueTlv     114     195       0         195<br /> <br /> <br /> <br /> This issue affects Junos OS Evolved: <br /> <br /> <br /> * All versions before 21.4R3-S8-EVO,<br /> <br /> * from 22.2-EVO before 22.2R3-S4-EVO, <br /> * from 22.3-EVO before 22.3R3-S3-EVO, <br /> * from 22.4-EVO before 22.4R3-EVO, <br /> * from 23.2-EVO before 23.2R2-EVO.

An Unchecked Return Value vulnerability in the Routing Protocol Daemon (rpd) on Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows a logically adjacent, unauthenticated attacker sending a specific PIM packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS), when PIM is configured with Multicast-only Fast Reroute (MoFRR). Continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.<br /> <br /> This issue is observed on Junos and Junos Evolved platforms where PIM is configured along with MoFRR. MoFRR tries to select the active path, but due to an internal timing issue, rpd is unable to select the forwarding next-hop towards the source, resulting in an rpd crash.<br /> <br /> This issue affects:<br /> <br /> Junos OS: <br /> <br /> <br /> * All versions before 20.4R3-S10, <br /> * from 21.2 before 21.2R3-S7, <br /> * from 21.4 before 21.4R3-S6, <br /> * from 22.1 before 22.1R3-S5, <br /> * from 22.2 before 22.2R3-S3, <br /> * from 22.3 before 22.3R3, <br /> * from 22.4 before 22.4R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> * All versions before 20.4R3-S10 -EVO,<br /> * All versions of 21.2-EVO,<br /> * from 21.4-EVO before 21.4R3-S9-EVO,<br /> * from 22.1-EVO before 22.1R3-S5-EVO,<br /> * from 22.2-EVO before 22.2R3-S3-EVO,<br /> * from 22.3-EVO before 22.3R3-EVO,<br /> * from 22.4-EVO before 22.4R2-EVO.

An Improper Check for Unusual or Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS Evolved may allow a network-based unauthenticated attacker to crash the device (vmcore) by sending a specific TCP packet over an established TCP session with MD5 authentication enabled, destined to an accessible port on the device, resulting in a Denial of Service (DoS).  The receipt of this packet must occur within a specific timing window outside the attacker&amp;#39;s control (i.e., race condition).<br /> <br /> Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.<br /> <br /> This issue only affects dual RE systems with Nonstop Active Routing (NSR) enabled.<br /> Exploitation can only occur over TCP sessions with MD5 authentication enabled (e.g., BGP with MD5 authentication).<br /> <br /> This issue affects Junos OS Evolved: <br /> <br /> <br /> <br /> * All versions before 21.2R3-S8-EVO, <br /> * from 21.4-EVO before 21.4R3-S6-EVO, <br /> * from 22.1-EVO before 22.1R3-S4-EVO, <br /> * from 22.2-EVO before 22.2R3-S4-EVO, <br /> * from 22.3-EVO before 22.3R3-S3-EVO, <br /> * from 22.4-EVO before 22.4R2-S2-EVO, 22.4R3-EVO.

An Improper Check for Unusual or Exceptional Conditions vulnerability in the Layer 2 Address Learning Daemon (l2ald) on Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause Denial of Service (DoS).<br /> <br /> In an EVPN/VXLAN scenario, when a high amount specific Layer 2 packets are processed by the device, it can cause the Routing Protocol Daemon (rpd) to utilize all CPU resources which causes the device to hang. A manual restart of the rpd is required to restore services.<br /> <br /> This issue affects both IPv4 and IPv6 implementations.<br /> This issue affects<br /> Junos OS:<br /> All versions earlier than 21.4R3-S7;<br /> 22.1 versions earlier than 22.1R3-S5;<br /> 22.2 versions earlier than 22.2R3-S3;<br /> 22.3 versions earlier than 22.3R3-S3;<br /> 22.4 versions earlier than 22.4R3-S2;<br /> 23.2 versions earlier than 23.2R2;<br /> 23.4 versions earlier than 23.4R1-S1.<br /> <br /> Junos OS Evolved:<br /> All versions earlier than 21.4R3-S7-EVO;<br /> 22.1-EVO versions earlier than 22.1R3-S5-EVO;<br /> 22.2-EVO versions earlier than 22.2R3-S3-EVO;<br /> 22.3-EVO versions earlier than 22.3R3-S3-EVO;<br /> 22.4-EVO versions earlier than 22.4R3-S2-EVO;<br /> 23.2-EVO versions earlier than 23.2R2-EVO;<br /> 23.4-EVO versions earlier than 23.4R1-S1-EVO, 23.4R2-EVO.

A Heap-based Buffer Overflow vulnerability in the telemetry sensor process (sensord) of Juniper Networks Junos OS on MX240, MX480, MX960 platforms using MPC10E causes a steady increase in memory utilization, ultimately leading to a Denial of Service (DoS).<br /> <br /> When the device is subscribed to a specific subscription on Junos Telemetry Interface, a slow memory leak occurs and eventually all resources are consumed and the device becomes unresponsive. A manual reboot of the Line Card will be required to restore the device to its normal functioning. <br /> <br /> This issue is only seen when telemetry subscription is active.<br /> <br /> The Heap memory utilization can be monitored using the following command:<br />   &gt; show system processes extensive<br /> <br /> The following command can be used to monitor the memory utilization of the specific sensor<br />   &gt; show system info | match sensord<br /> PID NAME MEMORY PEAK MEMORY %CPU THREAD-COUNT CORE-AFFINITY UPTIME<br /> <br /> 1986 sensord 877.57MB 877.57MB 2 4 0,2-15 7-21:41:32<br /> <br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * from 21.2R3-S5 before 21.2R3-S7, <br /> * from 21.4R3-S4 before 21.4R3-S6, <br /> * from 22.2R3 before 22.2R3-S4, <br /> * from 22.3R2 before 22.3R3-S2, <br /> * from 22.4R1 before 22.4R3, <br /> * from 23.2R1 before 23.2R2.

An Improper Handling of Exceptional Conditions vulnerability in the Routing Protocol Daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker sending a specific malformed BGP update message to cause the session to reset, resulting in a Denial of Service (DoS). Continued receipt and processing of these malformed BGP update messages will create a sustained Denial of Service (DoS) condition.<br /> <br /> Upon receipt of a BGP update message over an established BGP session containing a specifically malformed tunnel encapsulation attribute, when segment routing is enabled, internal processing of the malformed attributes within the update results in improper parsing of remaining attributes, leading to session reset:<br /> <br /> BGP SEND Notification code 3 (Update Message Error) subcode 1 (invalid attribute list)<br /> <br /> Only systems with segment routing enabled are vulnerable to this issue.<br /> <br /> This issue affects eBGP and iBGP, in both IPv4 and IPv6 implementations, and requires a remote attacker to have at least one established BGP session.<br /> <br /> This issue affects:<br /> <br /> Junos OS: <br /> <br /> <br /> * All versions before 21.4R3-S8, <br /> * from 22.2 before 22.2R3-S4, <br /> * from 22.3 before 22.3R3-S3, <br /> * from 22.4 before 22.4R3-S3, <br /> * from 23.2 before 23.2R2-S1, <br /> * from 23.4 before 23.4R1-S2, 23.4R2.<br /> <br /> <br /> Junos OS Evolved: <br /> <br /> * All versions before 21.4R3-S8-EVO, <br /> * from 22.2-EVO before 22.2R3-S4-EVO, <br /> * from 22.3-EVO before 22.3R3-S3-EVO, <br /> * from 22.4-EVO before 22.4R3-S3-EVO, <br /> * from 23.2-EVO before 23.2R2-S1-EVO, <br /> * from 23.4-EVO before 23.4R1-S2-EVO, 23.4R2-EVO.

A Concurrent Execution using Shared Resource with Improper Synchronization (&amp;#39;Race Condition&amp;#39;) vulnerability the <br /> <br /> Routing Protocol Daemon (rpd)<br /> <br /> of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to inject incremental routing updates when BGP multipath is enabled, causing rpd to crash and restart, resulting in a Denial of Service (DoS). Since this is a timing issue (race condition), the successful exploitation of this vulnerability is outside the attacker&amp;#39;s control.  However, continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.<br /> <br /> On all Junos OS and Junos OS Evolved platforms with BGP multipath enabled, a specific multipath calculation removes the original next hop from the multipath lead routes nexthop-set. When this change happens, multipath relies on certain internal timing to record the update.  Under certain circumstance and with specific timing, this could result in an rpd crash.<br /> <br /> This issue only affects systems with BGP multipath enabled.<br /> <br /> <br /> This issue affects:<br /> <br /> Junos OS: <br /> <br /> <br /> * All versions of 21.1<br /> * from 21.2 before 21.2R3-S7, <br /> * from 21.4 before 21.4R3-S6, <br /> * from 22.1 before 22.1R3-S5, <br /> * from 22.2 before 22.2R3-S3, <br /> * from 22.3 before 22.3R3-S2, <br /> * from 22.4 before 22.4R3, <br /> * from 23.2 before 23.2R2.<br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> * All versions of 21.1-EVO,<br /> * All versions of 21.2-EVO,<br /> * from 21.4-EVO before 21.4R3-S6-EVO, <br /> * from 22.1-EVO before 22.1R3-S5-EVO, <br /> * from 22.2-EVO before 22.2R3-S3-EVO, <br /> * from 22.3-EVO before 22.3R3-S2-EVO, <br /> * from 22.4-EVO before 22.4R3-EVO, <br /> * from 23.2-EVO before 23.2R2-EVO.<br /> <br /> <br /> <br /> Versions of Junos OS before 21.1R1 are unaffected by this vulnerability.<br /> Versions of Junos OS Evolved before 21.1R1-EVO are unaffected by this vulnerability.

An Improper Input Validation vulnerability in the 802.1X Authentication (dot1x) Daemon of Juniper Networks Junos OS allows a local, low-privileged attacker with access to the CLI to cause a Denial of Service (DoS).<br /> <br /> On running a specific operational dot1x command, the dot1x daemon crashes. An attacker can cause a sustained DoS condition by running this command repeatedly.<br /> <br /> When the crash occurs, the authentication status of any 802.1x clients is cleared, and any authorized dot1x port becomes unauthorized. The client cannot re-authenticate until the dot1x daemon restarts.<br /> <br /> This issue affects Junos OS:<br /> * All versions before 20.4R3-S10;<br /> * 21.2 versions before 21.2R3-S7;<br /> * 21.4 versions before 21.4R3-S6;<br /> * 22.1 versions before 22.1R3-S5;<br /> * 22.2 versions before 22.2R3-S3;<br /> * 22.3 versions before 22.3R3-S2;<br /> * 22.4 versions before 22.4R3-S1;<br /> * 23.2 versions before 23.2R2.

An Improper Physical Access Control vulnerability in the console port control of Juniper Networks Junos OS Evolved allows an attacker with physical access to the device to get access to a user account.<br /> <br /> When the console cable is disconnected, the logged in user is not logged out. This allows a malicious attacker with physical access to the console to resume a previous session and possibly gain administrative privileges.<br /> <br /> This issue affects Junos OS Evolved: <br /> * from 23.2R2-EVO before 23.2R2-S1-EVO, <br /> * from 23.4R1-EVO before 23.4R2-EVO.