A vulnerability in the processing of specific MPLS packets in Juniper Networks Junos OS on MX Series and EX9200 Series devices with Trio-based MPCs (Modular Port Concentrators) may cause FPC to crash and lead to a Denial of Service (DoS) condition. Continued receipt of this packet will sustain the Denial of Service (DoS) condition. This issue only affects MX Series and EX9200 Series with Trio-based PFEs (Packet Forwarding Engines). This issue affects Juniper Networks Junos OS on MX Series, EX9200 Series: 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S2; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R2-S2, 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2;
CVSS Score
6.5
EPSS Score
0.001
Published
2021-07-15
When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer. To review the desired ARP Policers and actual state one can run the command "show interfaces <> extensive" and review the output. See further details below. An example output is: show interfaces extensive | match policer Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface For all platforms, except SRX Series: This issue affects Juniper Networks Junos OS: All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2; This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1. On SRX Series this issue affects Juniper Networks Junos OS: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.4 versions prior to 19.4R3-S4; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. This issue does not affect 18.4 versions prior to 18.4R1 on SRX Series. This issue does not affect Junos OS Evolved.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-07-15
Improper Handling of Exceptional Conditions in Ethernet interface frame processing of Juniper Networks Junos OS allows an attacker to send specially crafted frames over the local Ethernet segment, causing the interface to go into a down state, resulting in a Denial of Service (DoS) condition. The interface does not recover on its own and the FPC must be reset manually. Continued receipt and processing of these frames will create a sustained Denial of Service (DoS) condition. This issue is platform-specific and affects the following platforms and line cards: * MPC7E/8E/9E and MPC10E on MX240, MX480, MX960, MX2008, MX2010, and MX2020 * MX204, MX10003, MX10008, MX10016 * EX9200, EX9251 * SRX4600 No other products or platforms are affected by this vulnerability. An indication of this issue occurring can be seen in the system log messages, as shown below: user@host> show log messages | match "Failed to complete DFE tuning" fpc4 smic_phy_dfe_tuning_state: et-4/1/6 - Failed to complete DFE tuning (count 3) and interface will be in a permanently down state: user@host> show interfaces et-4/1/6 terse Interface Admin Link Proto Local Remote et-4/1/6 up down et-4/1/6.0 up down aenet --> ae101.0 This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R7-S7 on MX Series; 17.1R1 and later versions prior to 17.2R3-S3 on MX Series; 17.3 versions prior to 17.3R3-S8 on MX Series; 17.4 versions prior to 17.4R2-S11, 17.4R3-S1 on MX Series, SRX4600; 18.1 versions prior to 18.1R3-S10 on MX Series, EX9200 Series, SRX4600; 18.2 versions prior to 18.2R3-S3 on MX Series, EX9200 Series, SRX4600; 18.3 versions prior to 18.3R3-S1 on MX Series, EX9200 Series, SRX4600; 18.4 versions prior to 18.4R2-S3, 18.4R3 on MX Series, EX9200 Series, SRX4600; 19.1 versions prior to 19.1R2-S1, 19.1R3 on MX Series, EX9200 Series, SRX4600; 19.2 versions prior to 19.2R1-S3, 19.2R2 on MX Series, EX9200 Series, SRX4600; 19.3 versions prior to 19.3R2 on MX Series, EX9200 Series, SRX4600. This issue does not affect Juniper Networks Junos OS versions prior to 16.1R1.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-07-15
An Out-of-bounds Read vulnerability in the processing of specially crafted LLDP frames by the Layer 2 Control Protocol Daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved may allow an attacker to cause a Denial of Service (DoS), or may lead to remote code execution (RCE). Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S18; 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R2-S13, 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R1-S4, 19.4R2-S4, 19.4R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3; 20.2 versions prior to 20.2R3-S1; 20.3 versions prior to 20.3R2-S1, 20.3R3; 20.4 versions prior to 20.4R2. Juniper Networks Junos OS Evolved versions prior to 20.4R2-EVO.
CVSS Score
8.8
EPSS Score
0.002
Published
2021-07-15
Due to an Improper Initialization vulnerability in Juniper Networks Junos OS on PTX platforms and QFX10K Series with Paradise (PE) chipset-based line cards, ddos-protection configuration changes made from the CLI will not take effect as expected beyond the default DDoS (Distributed Denial of Service) settings in the Packet Forwarding Engine (PFE). This may cause BFD sessions to flap when a high rate of specific packets are received. Flapping of BFD sessions in turn may impact routing protocols and network stability, leading to a Denial of Service (DoS) condition. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue affects only the following platforms with Paradise (PE) chipset-based line cards: PTX1000, PTX3000 (NextGen), PTX5000, PTX10008, PTX10016 Series and QFX10002 Series. This issue affects: Juniper Networks Junos OS 17.4 versions prior to 17.4R3-S5 on PTX Series, QFX10K Series; 18.2 versions prior to 18.2R3-S8 on PTX Series, QFX10K Series; 18.3 versions prior to 18.3R3-S5 on PTX Series, QFX10K Series; 18.4 versions prior to 18.4R2-S8 on PTX Series, QFX10K Series; 19.1 versions prior to 19.1R3-S5 on PTX Series, QFX10K Series; 19.2 versions prior to 19.2R3-S2 on PTX Series, QFX10K Series; 19.3 versions prior to 19.3R3-S2 on PTX Series, QFX10K Series; 19.4 versions prior to 19.4R3-S2 on PTX Series, QFX10K Series; 20.1 versions prior to 20.1R3 on PTX Series, QFX10K Series; 20.2 versions prior to 20.2R2-S3, 20.2R3 on PTX Series, QFX10K Series; 20.3 versions prior to 20.3R2 on PTX Series, QFX10K Series; 20.4 versions prior to 20.4R2 on PTX Series, QFX10K Series.
CVSS Score
7.5
EPSS Score
0.004
Published
2021-07-15
On Juniper Networks Junos OS devices configured with BGP origin validation using Resource Public Key Infrastructure (RPKI) receipt of a specific packet from the RPKI cache server may cause routing process daemon (RPD) to crash and restart, creating a Denial of Service (DoS) condition. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS 17.3 versions prior to 17.3R3-S12; 17.4 versions prior to 17.4R3-S5; 18.1 versions prior to 18.1R3-S13; 18.2 versions prior to 18.2R3-S8; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R2-S8, 18.4R3-S8; 19.1 versions prior to 19.1R3-S5; 19.2 versions prior to 19.2R3-S2; 19.3 versions prior to 19.3R2-S6, 19.3R3-S2; 19.4 versions prior to 19.4R2-S4, 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3; 20.3 versions prior to 20.3R2; 20.4 versions prior to 20.4R2. Juniper Networks Junos OS Evolved All versions prior to 20.4R2-S2-EVO.
CVSS Score
5.9
EPSS Score
0.003
Published
2021-07-15
On Juniper Networks Junos OS devices with Multipath or add-path feature enabled, processing a specific BGP UPDATE can lead to a routing process daemon (RPD) crash and restart, causing a Denial of Service (DoS). Continued receipt and processing of this UPDATE message will create a sustained Denial of Service (DoS) condition. This BGP UPDATE message can propagate to other BGP peers with vulnerable Junos versions on which Multipath or add-path feature is enabled, and cause RPD to crash and restart. This issue affects both IBGP and EBGP deployments in IPv4 or IPv6 network. Junos OS devices that do not have the BGP Multipath or add-path feature enabled are not affected by this issue. This issue affects: Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S18; 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R2-S13, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R3-S7; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R3-S3;
CVSS Score
7.5
EPSS Score
0.004
Published
2021-07-15
A kernel memory leak in QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016 devices Flexible PIC Concentrators (FPCs) on Juniper Networks Junos OS allows an attacker to send genuine packets destined to the device to cause a Denial of Service (DoS) to the device. On QFX10002-32Q, QFX10002-60C, QFX10002-72Q devices the device will crash and restart. On QFX10008, QFX10016 devices, depending on the number of FPCs involved in an attack, one more more FPCs may crash and traffic through the device may be degraded in other ways, until the attack traffic stops. A reboot is required to restore service and clear the kernel memory. Continued receipt and processing of these genuine packets will create a sustained Denial of Service (DoS) condition. On QFX10008, QFX10016 devices, an indicator of compromise may be the existence of DCPFE core files. You can also monitor PFE memory utilization for incremental growth: user@qfx-RE:0% cprod -A fpc0 -c "show heap 0" | grep -i ke 0 3788a1b0 3221225048 2417120656 804104392 24 Kernel user@qfx-RE:0% cprod -A fpc0 -c "show heap 0" | grep -i ke 0 3788a1b0 3221225048 2332332200 888892848 27 Kernel This issue affects: Juniper Networks Junos OS on QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016: 16.1 versions 16.1R1 and above prior to 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R3-S2; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; 19.1 versions prior to 19.1R3-S2; 19.2 versions prior to 19.2R3; 19.3 versions prior to 19.3R3; 19.4 versions prior to 19.4R3; 20.1 versions prior to 20.1R2. This issue does not affect releases prior to Junos OS 16.1R1. This issue does not affect EX Series devices. This issue does not affect Junos OS Evolved.
CVSS Score
6.5
EPSS Score
0.001
Published
2021-04-22
An always-incorrect control flow implementation in the implicit filter terms of Juniper Networks Junos OS and Junos OS Evolved on ACX5800, EX9200 Series, MX10000 Series, MX240, MX480, MX960 devices with affected Trio line cards allows an attacker to exploit an interdependency in the PFE UCODE microcode of the Trio chipset with various line cards to cause packets destined to the devices interfaces to cause a Denial of Service (DoS) condition by looping the packet with an unreachable exit condition ('Infinite Loop'). To break this loop once it begins one side of the affected LT interfaces will need to be disabled. Once disabled, the condition will clear and the disabled LT interface can be reenabled. Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. This issue only affects LT-LT interfaces. Any other interfaces are not affected by this issue. This issue affects the following cards: MPCE Type 3 3D MPC4E 3D 32XGE MPC4E 3D 2CGE+8XGE EX9200 32x10G SFP EX9200-2C-8XS FPC Type 5-3D FPC Type 5-LSR EX9200 4x40G QSFP An Indicator of Compromise (IoC) can be seen by examining the traffic of the LT-LT interfaces for excessive traffic using the following command: monitor interface traffic Before loop impact: Interface: lt-2/0/0, Enabled, Link is Up Encapsulation: Logical-tunnel, Speed: 100000mbps Traffic statistics: Current delta Input bytes: 3759900268942 (1456 bps) [0] <---------- LT interface utilization is low Output bytes: 3759900344309 (1456 bps) [0] <---------- LT interface utilization is low After loop impact: Interface: lt-2/0/0, Enabled, Link is Up Encapsulation: Logical-tunnel, Speed: 100000mbps Traffic statistics: Current delta Input bytes: 3765160313129 (2158268368 bps) [5260044187] <---------- LT interface utilization is very high Output bytes: 3765160399522 (2158266440 bps) [5260055213] <---------- LT interface utilization is very high This issue affects: Juniper Networks Junos OS on ACX5800, EX9200 Series, MX10000 Series, MX240, MX480, MX960. Versions 15.1F6, 16.1R1, and later versions prior to 16.1R7-S8; 17.1 versions prior to 17.1R2-S12; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S10, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3; 18.3 versions prior to 18.3R1-S7, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3-S2; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3; 19.2 versions prior to 19.2R1-S4, 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S1, 19.4R2. This issue does not affect the MX10001. This issue does not affect Juniper Networks Junos OS versions prior to 15.1F6, 16.1R1. Juniper Networks Junos OS Evolved on ACX5800, EX9200 Series, MX10000 Series, MX240, MX480, MX960 19.4 versions prior to 19.4R2-EVO. This issue does not affect the MX10001.
CVSS Score
5.3
EPSS Score
0.003
Published
2021-04-22
A Cross-site Scripting (XSS) vulnerability in J-Web on Juniper Networks Junos OS allows an attacker to target another user's session thereby gaining access to the users session. The other user session must be active for the attack to succeed. Once successful, the attacker has the same privileges as the user. If the user has root privileges, the attacker may be able to gain full control of the device. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S15 on EX Series; 12.3X48 versions prior to 12.3X48-D95 on SRX Series; 15.1 versions prior to 15.1R7-S6 on EX Series; 15.1X49 versions prior to 15.1X49-D200 on SRX Series; 16.1 versions prior to 16.1R7-S7; 16.2 versions prior to 16.2R2-S11, 16.2R3; 17.1 versions prior to 17.1R2-S11, 17.1R3-S2; 17.2 versions prior to 17.2R3-S3; 17.3 versions prior to 17.3R2-S5, 17.3R3-S7; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S9; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3; 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3-S1; 18.4 versions prior to 18.4R1-S6, 18.4R2-S4, 18.4R3; 19.1 versions prior to 19.1R2-S1, 19.1R3; 19.2 versions prior to 19.2R1-S3, 19.2R2; 19.3 versions prior to 19.3R2.
CVSS Score
8.8
EPSS Score
0.005
Published
2021-04-22