Vulnerabilities

<br /> An Exposure of Resource to Wrong Sphere vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the intended access restrictions.<br /> <br /> In an Abstracted Fabric (AF) scenario if routing-instances (RI) are configured, specific valid traffic destined to the device can bypass the configured lo0 firewall filters as it&amp;#39;s received in the wrong RI context.<br /> <br /> This issue affects Juniper Networks Junos OS on MX Series:<br /> <br /> <br /> <br /> * All versions earlier than 20.4R3-S9;<br /> * 21.2 versions earlier than 21.2R3-S3;<br /> * 21.4 versions earlier than 21.4R3-S5;<br /> * 22.1 versions earlier than 22.1R3;<br /> * 22.2 versions earlier than 22.2R3;<br /> * 22.3 versions earlier than 22.3R2.<br /> <br /> <br /> <br /> <br /> <br /> <br />

<br /> A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).<br /> <br /> If an MX Series device receives PTP packets on an MPC3E that doesn&amp;#39;t support PTP this causes a memory leak which will result in unpredictable behavior and ultimately in an MPC crash and restart.<br /> <br /> To monitor for this issue, please use the following FPC vty level commands:<br /> <br /> show heap<br /> shows an increase in "LAN buffer" utilization and<br /> <br /> show clksync ptp nbr-upd-info<br /> shows non-zero "Pending PFEs" counter.<br /> <br /> This issue affects Juniper Networks Junos OS on MX Series with MPC3E:<br /> <br /> <br /> <br /> * All versions earlier than 20.4R3-S3;<br /> * 21.1 versions earlier than 21.1R3-S4;<br /> * 21.2 versions earlier than 21.2R3;<br /> * 21.3 versions earlier than 21.3R2-S1, 21.3R3;<br /> * 21.4 versions earlier than 21.4R2;<br /> * 22.1 versions earlier than 22.1R2.<br /> <br /> <br /> <br /> <br /> <br /> <br />

<br /> An Improper Neutralization of Equivalent Special Elements vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on PTX Series allows a unauthenticated, adjacent attacker to cause a Denial of Service (DoS).<br /> <br /> When MPLS packets are meant to be sent to a flexible tunnel interface (FTI) and if the FTI tunnel is down, these will hit the reject NH, due to which the packets get sent to the CPU and cause a host path wedge condition. This will cause the FPC to hang and requires a manual restart to recover.<br /> <br /> Please note that this issue specifically affects PTX1000, PTX3000, PTX5000 with FPC3, PTX10002-60C, and PTX10008/16 with LC110x. Other PTX Series devices and Line Cards (LC) are not affected.<br /> <br /> The following log message can be seen when the issue occurs:<br /> <br /> Cmerror Op Set: Host Loopback: HOST LOOPBACK WEDGE DETECTED IN PATH ID (URI: /fpc//pfe//cm//Host_Loopback//HOST_LOOPBACK_MAKE_CMERROR_ID[])<br /> This issue affects Juniper Networks Junos OS:<br /> <br /> <br /> <br /> * All versions earlier than 20.4R3-S8;<br /> * 21.1 versions earlier than 21.1R3-S4;<br /> * 21.2 versions earlier than 21.2R3-S6;<br /> * 21.3 versions earlier than 21.3R3-S3;<br /> * 21.4 versions earlier than 21.4R3-S5;<br /> * 22.1 versions earlier than 22.1R2-S2, 22.1R3;<br /> * 22.2 versions earlier than 22.2R2-S1, 22.2R3.<br /> <br /> <br /> <br /> <br /> <br /> <br />

<br /> An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker&amp;#39;s control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition.<br /> <br /> This issue only affects routers configured with non-stop routing (NSR) enabled. Graceful Restart (GR) helper mode, enabled by default, is also required for this issue to be exploitable.<br /> <br /> <br /> Note: NSR is not supported on the SRX Series and is therefore not affected by this vulnerability.<br /> When the BGP session flaps on the NSR-enabled router, the device enters GR-helper/LLGR-helper mode due to the peer having negotiated GR/LLGR-restarter capability and the backup BGP requests for replication of the GR/LLGR-helper session, master BGP schedules, and initiates replication of GR/LLGR stale routes to the backup BGP. In this state, if the BGP session with the BGP peer comes up again, unsolicited replication is initiated for the peer without cleaning up the ongoing GR/LLGR-helper mode replication. This parallel two instances of replication for the same peer leads to the assert if the BGP session flaps again.<br /> <br /> This issue affects:<br /> <br /> Juniper Networks Junos OS<br /> <br /> <br /> <br /> * All versions earlier than 20.4R3-S9;<br /> * 21.2 versions earlier than 21.2R3-S7;<br /> * 21.3 versions earlier than 21.3R3-S5;<br /> * 21.4 versions earlier than 21.4R3-S5;<br /> * 22.1 versions earlier than 22.1R3-S4;<br /> * 22.2 versions earlier than 22.2R3-S3;<br /> * 22.3 versions earlier than 22.3R3-S1;<br /> * 22.4 versions earlier than 22.4R2-S2, 22.4R3;<br /> * 23.2 versions earlier than 23.2R1-S1, 23.2R2.<br /> <br /> <br /> <br /> <br /> Juniper Networks Junos OS Evolved<br /> <br /> <br /> <br /> * All versions earlier than 21.3R3-S5-EVO;<br /> * 21.4 versions earlier than 21.4R3-S5-EVO;<br /> * 22.1 versions earlier than 22.1R3-S4-EVO;<br /> * 22.2 versions earlier than 22.2R3-S3-EVO;<br /> * 22.3 versions earlier than 22.3R3-S1-EVO;<br /> * 22.4 versions earlier than 22.4R2-S2-EVO, 22.4R3-EVO;<br /> * 23.2 versions earlier than 23.2R1-S1-EVO, 23.2R2-EVO.<br /> <br /> <br /> <br /> <br /> <br /> <br />

<br /> An Improper Handling of Exceptional Conditions vulnerability in the broadband edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an attacker directly connected to the vulnerable system who repeatedly flaps DHCP subscriber sessions to cause a slow memory leak, ultimately leading to a Denial of Service (DoS). Memory can only be recovered by manually restarting bbe-smgd.<br /> <br /> This issue only occurs if BFD liveness detection for DHCP subscribers is enabled. Systems without BFD liveness detection enabled are not vulnerable to this issue.<br /> <br /> Indication of the issue can be observed by periodically executing the &amp;#39;show system processes extensive&amp;#39; command, which will indicate an increase in memory allocation for bbe-smgd. A small amount of memory is leaked every time a DHCP subscriber logs in, which will become visible over time, ultimately leading to memory starvation.<br /> <br /> user@junos&gt; show system processes extensive | match bbe-smgd<br /> 13071 root 24 0 415M 201M select 0 0:41 7.28% bbe-smgd{bbe-smgd}<br /> 13071 root 20 0 415M 201M select 1 0:04 0.00% bbe-smgd{bbe-smgd}<br /> ...<br /> user@junos&gt; show system processes extensive | match bbe-smgd<br /> 13071 root 20 0 420M 208M select 0 4:33 0.10% bbe-smgd{bbe-smgd}<br /> 13071 root 20 0 420M 208M select 0 0:12 0.00% bbe-smgd{bbe-smgd}<br /> ...<br /> This issue affects Juniper Networks Junos OS on MX Series:<br /> <br /> <br /> <br /> * All versions earlier than 20.4R3-S9;<br /> * 21.2 versions earlier than 21.2R3-S7;<br /> * 21.3 versions earlier than 21.3R3-S5;<br /> * 21.4 versions earlier than 21.4R3-S5;<br /> * 22.1 versions earlier than 22.1R3-S4;<br /> * 22.2 versions earlier than 22.2R3-S3;<br /> * 22.3 versions earlier than 22.3R3-S2;<br /> * 22.4 versions earlier than 22.4R2-S2, 22.4R3;<br /> * 23.2 versions earlier than 23.2R1-S1, 23.2R2.<br /> <br /> <br /> <br /> <br /> <br /> <br />

<br /> An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated network-based attacker to access reports without authenticating, potentially containing sensitive configuration information.<br /> <br /> A feature was introduced in version 3.1.0 of the Paragon Active Assurance Control Center which allows users to selectively share account data. By exploiting this vulnerability, it is possible to access reports without being logged in, resulting in the opportunity for malicious exfiltration of user data.<br /> <br /> Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue.<br /> <br /> This issue affects Juniper Networks Paragon Active Assurance versions 3.1.0, 3.2.0, 3.2.2, 3.3.0, 3.3.1, 3.4.0.<br /> <br /> This issue does not affect Juniper Networks Paragon Active Assurance versions earlier than 3.1.0.<br /> <br /> <br /> <br /> <br />

<br /> An Out-of-bounds Write vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS), or Remote Code Execution (RCE) and obtain root privileges on the device.<br /> <br /> This issue is caused by use of an insecure function allowing an attacker to overwrite arbitrary memory.<br /> <br /> This issue affects Juniper Networks Junos OS SRX Series and EX Series:<br /> <br /> <br /> <br /> * Junos OS versions earlier than 20.4R3-S9;<br /> * Junos OS 21.2 versions earlier than 21.2R3-S7;<br /> * Junos OS 21.3 versions earlier than 21.3R3-S5;<br /> * Junos OS 21.4 versions earlier than 21.4R3-S5;<br /> * Junos OS 22.1 versions earlier than 22.1R3-S4;<br /> * Junos OS 22.2 versions earlier than 22.2R3-S3;<br /> * Junos OS 22.3 versions earlier than 22.3R3-S2;<br /> * Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3.<br /> <br /> <br /> <br /> <br /> <br /> <br />

<br /> A Heap-based Buffer Overflow vulnerability in the Network Services Daemon (NSD) of Juniper Networks Junos OS allows authenticated, low privileged, local attacker to cause a Denial of Service (DoS).<br /> <br /> On an SRX 5000 Series device, when executing a specific command repeatedly, memory is corrupted, which leads to a Flow Processing Daemon (flowd) crash.<br /> <br /> The NSD process has to be restarted to restore services.<br /> <br /> If this issue occurs, it can be checked with the following command:<br /> <br /> user@host&gt; request security policies check<br /> The following log message can also be observed:<br /> <br /> Error: policies are out of sync for PFE node.fpc.pic.<br /> This issue affects:<br /> <br /> Juniper Networks Junos OS on SRX 5000 Series<br /> <br /> <br /> <br /> * All versions earlier than 20.4R3-S6;<br /> * 21.1 versions earlier than 21.1R3-S5;<br /> * 21.2 versions earlier than 21.2R3-S4;<br /> * 21.3 versions earlier than 21.3R3-S3;<br /> * 21.4 versions earlier than 21.4R3-S3;<br /> * 22.1 versions earlier than 22.1R3-S1;<br /> * 22.2 versions earlier than 22.2R3;<br /> * 22.3 versions earlier than 22.3R2.<br /> <br /> <br /> <br /> <br /> <br /> <br />

<br /> An Improper Check for Unusual or Exceptional Conditions vulnerability in Juniper DHCP Daemon (jdhcpd) of Juniper Networks Junos OS allows an adjacent, unauthenticated attacker to cause the jdhcpd to consume all the CPU cycles resulting in a Denial of Service (DoS).<br /> <br /> On Junos OS devices with forward-snooped-client configured, if an attacker sends a specific DHCP packet to a non-configured interface, this will cause an infinite loop. The DHCP process will have to be restarted to recover the service.<br /> <br /> This issue affects:<br /> <br /> Juniper Networks Junos OS<br /> <br /> <br /> <br /> * All versions earlier than 20.4R3-S9;<br /> * 21.2 versions earlier than 21.2R3-S7;<br /> * 21.3 versions earlier than 21.3R3-S5;<br /> * 21.4 versions earlier than 21.4R3-S5;<br /> * 22.1 versions earlier than 22.1R3-S4;<br /> * 22.2 versions earlier than 22.2R3-S3;<br /> * 22.3 versions earlier than 22.3R3-S2;<br /> * 22.4 versions earlier than 22.4R2-S2, 22.4R3;<br /> * 23.2 versions earlier than 23.2R2.<br /> <br /> <br /> <br /> <br /> <br /> <br />

A flaw was found in the blkgs destruction path in block/blk-cgroup.c in the Linux kernel, leading to a cgroup blkio memory leakage problem. When a cgroup is being destroyed, cgroup_rstat_flush() is only called at css_release_work_fn(), which is called when the blkcg reference count reaches 0. This circular dependency will prevent blkcg and some blkgs from being freed after they are made offline. This issue may allow an attacker with a local access to cause system instability, such as an out of memory error.

ONTAP versions 9.4 and higher are susceptible to a vulnerability <br /> which when successfully exploited could lead to disclosure of sensitive <br /> information to unprivileged attackers when the object-store profiler <br /> command is being run by an administrative user.<br /> <br />

A spoofing attack in ujcms v.8.0.2 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted script to the X-Forwarded-For function in the header.