An Incorrect Permission Assignment for Critical Resource vulnerability in a specific file of Juniper Networks Junos OS and Junos OS Evolved allows a local authenticated attacker to read configuration changes without having the permissions.
When a user with the respective permissions commits a configuration change, a specific file is created. That file is readable even by users with no permissions to access the configuration. This can lead to privilege escalation as the user can read the password hash when a password change is being committed.
This issue affects:
Juniper Networks Junos OS
* All versions prior to 20.4R3-S4;
* 21.1 versions prior to 21.1R3-S4;
* 21.2 versions prior to 21.2R3-S2;
* 21.3 versions prior to 21.3R2-S2, 21.3R3-S1;
* 21.4 versions prior to 21.4R2-S1, 21.4R3.
Juniper Networks Junos OS Evolved
* All versions prior to 20.4R3-S4-EVO;
* 21.1 versions prior to 21.1R3-S2-EVO;
* 21.2 versions prior to 21.2R3-S2-EVO;
* 21.3 versions prior to 21.3R3-S1-EVO;
* 21.4 versions prior to 21.4R2-S2-EVO.
CVSS Score
5.0
EPSS Score
0.0
Published
2023-10-13
An Improper Check or Handling of Exceptional Conditions vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on QFX5000 Series, EX2300, EX3400, EX4100, EX4400 and EX4600 allows a adjacent attacker to send specific traffic, which leads to packet flooding, resulting in a Denial of Service (DoS).
When a specific IGMP packet is received in an isolated VLAN, it is duplicated to all other ports under the primary VLAN, which causes a flood.
This issue affects QFX5000 series, EX2300, EX3400, EX4100, EX4400 and EX4600 platforms only.
This issue affects Juniper Junos OS on on QFX5000 Series, EX2300, EX3400, EX4100, EX4400 and EX4600:
* All versions prior to 20.4R3-S5;
* 21.1 versions prior to 21.1R3-S4;
* 21.2 versions prior to 21.2R3-S3;
* 21.3 versions prior to 21.3R3-S5;
* 21.4 versions prior to 21.4R3-S2;
* 22.1 versions prior to 22.1R3;
* 22.2 versions prior to 22.2R3;
* 22.3 versions prior to 22.3R2.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-10-13
An Improperly Implemented Security Check for Standard vulnerability in storm control of Juniper Networks Junos OS QFX5k devices allows packets to be punted to ARP queue causing a l2 loop resulting in a DDOS violations and DDOS syslog.
This issue is triggered when Storm control is enabled and ICMPv6 packets are present on device.
This issue affects Juniper Networks:
Junos OS
* All versions prior to 20.2R3-S6 on QFX5k;
* 20.3 versions prior to 20.3R3-S5 on QFX5k;
* 20.4 versions prior to 20.4R3-S5 on QFX5k;
* 21.1 versions prior to 21.1R3-S4 on QFX5k;
* 21.2 versions prior to 21.2R3-S3 on QFX5k;
* 21.3 versions prior to 21.3R3-S2 on QFX5k;
* 21.4 versions prior to 21.4R3 on QFX5k;
* 22.1 versions prior to 22.1R3 on QFX5k;
* 22.2 versions prior to 22.2R2 on QFX5k.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-10-13
An Unchecked Return Value vulnerability in the user interfaces to the Juniper Networks Junos OS and Junos OS Evolved, the CLI, the XML API, the XML Management Protocol, the NETCONF Management Protocol, the gNMI interfaces, and the J-Web User Interfaces causes unintended effects such as demotion or elevation of privileges associated with an operators actions to occur.
Multiple scenarios may occur; for example: privilege escalation over the device or another account, access to files that should not otherwise be accessible, files not being accessible where they should be accessible, code expected to run as non-root may run as root, and so forth.
This issue affects:
Juniper Networks Junos OS
* All versions prior to 20.4R3-S7;
* 21.1 versions prior to 21.1R3-S5;
* 21.2 versions prior to 21.2R3-S5;
* 21.3 versions prior to 21.3R3-S4;
* 21.4 versions prior to 21.4R3-S3;
* 22.1 versions prior to 22.1R3-S2;
* 22.2 versions prior to 22.2R2-S2, 22.2R3;
* 22.3 versions prior to 22.3R1-S2, 22.3R2.
Juniper Networks Junos OS Evolved
* All versions prior to 21.4R3-S3-EVO;
* 22.1-EVO version 22.1R1-EVO and later versions prior to 22.2R2-S2-EVO, 22.2R3-EVO;
* 22.3-EVO versions prior to 22.3R1-S2-EVO, 22.3R2-EVO.
CVSS Score
7.3
EPSS Score
0.001
Published
2023-10-13
An Improper Input Validation vulnerability in the VxLAN packet forwarding engine (PFE) of Juniper Networks Junos OS on QFX5000 Series, EX4600 Series devices allows an unauthenticated, adjacent attacker, sending two or more genuine packets in the same VxLAN topology to possibly cause a DMA memory leak to occur under various specific operational conditions. The scenario described here is the worst-case scenario. There are other scenarios that require operator action to occur.
An indicator of compromise may be seen when multiple devices indicate that FPC0 has gone missing when issuing a show chassis fpc command for about 10 to 20 minutes, and a number of interfaces have also gone missing.
Use the following command to determine if FPC0 has gone missing from the device.
show chassis fpc detail
This issue affects:
Juniper Networks Junos OS on QFX5000 Series, EX4600 Series:
* 18.4 version 18.4R2 and later versions prior to 20.4R3-S8;
* 21.1 version 21.1R1 and later versions prior to 21.2R3-S6;
* 21.3 versions prior to 21.3R3-S5;
* 21.4 versions prior to 21.4R3-S4;
* 22.1 versions prior to 22.1R3-S3;
* 22.2 versions prior to 22.2R3-S1;
* 22.3 versions prior to 22.3R2-S2, 22.3R3;
* 22.4 versions prior to 22.4R2.
CVSS Score
6.5
EPSS Score
0.0
Published
2023-10-13
An Improper Handling of Inconsistent Special Elements vulnerability in the Junos Services Framework (jsf) module of Juniper Networks Junos OS allows an unauthenticated network based attacker to cause a crash in the Packet Forwarding Engine (pfe) and thereby resulting in a Denial of Service (DoS).
Upon receiving malformed SSL traffic, the PFE crashes. A manual restart will be needed to recover the device.
This issue only affects devices with Juniper Networks Advanced Threat Prevention (ATP) Cloud enabled with Encrypted Traffic Insights (configured via ‘security-metadata-streaming policy’).
This issue affects Juniper Networks Junos OS:
* All versions prior to 20.4R3-S8, 20.4R3-S9;
* 21.1 version 21.1R1 and later versions;
* 21.2 versions prior to 21.2R3-S6;
* 21.3 versions prior to 21.3R3-S5;
* 21.4 versions prior to 21.4R3-S5;
* 22.1 versions prior to 22.1R3-S4;
* 22.2 versions prior to 22.2R3-S2;
* 22.3 versions prior to 22.3R2-S2, 22.3R3;
* 22.4 versions prior to 22.4R2-S1, 22.4R3;
CVSS Score
7.5
EPSS Score
0.001
Published
2023-10-12
A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).
PTX3000, PTX5000, QFX10000, PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs do not support certain flow-routes. Once a flow-route is received over an established BGP session and an attempt is made to install the resulting filter into the PFE, FPC heap memory is leaked. The FPC heap memory can be monitored using the CLI command "show chassis fpc".
The following syslog messages can be observed if the respective filter derived from a flow-route cannot be installed.
expr_dfw_sfm_range_add:661 SFM packet-length Unable to get a sfm entry for updating the hw
expr_dfw_hw_sfm_add:750 Unable to add the filter secondarymatch to the hardware
expr_dfw_base_hw_add:52 Failed to add h/w sfm data.
expr_dfw_base_hw_create:114 Failed to add h/w data.
expr_dfw_base_pfe_inst_create:241 Failed to create base inst for sfilter 0 on PFE 0 for __flowspec_default_inet__
expr_dfw_flt_inst_change:1368 Failed to create __flowspec_default_inet__ on PFE 0
expr_dfw_hw_pgm_fnum:465 dfw_pfe_inst_old not found for pfe_index 0!
expr_dfw_bp_pgm_flt_num:548 Failed to pgm bind-point in hw: generic failure
expr_dfw_bp_topo_handler:1102 Failed to program fnum.
expr_dfw_entry_process_change:679 Failed to change instance for filter __flowspec_default_inet__.
This issue affects Juniper Networks Junos OS:
on PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs:
* All versions prior to 20.4R3-S5;
* 21.1 versions prior to 21.1R3-S4;
* 21.2 versions prior to 21.2R3-S2;
* 21.3 versions prior to 21.3R3;
* 21.4 versions prior to 21.4R2-S2, 21.4R3;
* 22.1 versions prior to 22.1R1-S2, 22.1R2.
on PTX3000, PTX5000, QFX10000:
* All versions prior to 20.4R3-S8;
* 21.1 version 21.1R1 and later versions;
* 21.2 versions prior to 21.2R3-S6;
* 21.3 versions prior to 21.3R3-S5;
* 21.4 versions prior to 21.4R3-S4;
* 22.1 versions prior to 22.1R3-S3
* 22.2 versions prior to 22.2R3-S1
* 22.3 versions prior to 22.3R2-S2, 22.3R3
* 22.4 versions prior to 22.4R2.
CVSS Score
6.5
EPSS Score
0.001
Published
2023-10-12
An Improper Validation of Specified Quantity in Input vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker who sends specific LLDP packets to cause a Denial of Service(DoS).
This issue occurs when specific LLDP packets are received and telemetry polling is being done on the device. The impact of the l2cpd crash is reinitialization of STP protocols (RSTP, MSTP or VSTP), and MVRP and ERP. Also, if any services depend on LLDP state (like PoE or VoIP device recognition), then these will also be affected.
This issue affects:
Juniper Networks Junos OS
* All versions prior to 20.4R3-S8;
* 21.1 version 21.1R1 and later versions;
* 21.2 versions prior to 21.2R3-S5;
* 21.3 versions prior to 21.3R3-S4;
* 21.4 versions prior to 21.4R3-S3;
* 22.1 versions prior to 22.1R3-S2;
* 22.2 versions prior to 22.2R3;
* 22.3 versions prior to 22.3R2-S2;
* 22.4 versions prior to 22.4R2;
Juniper Networks Junos OS Evolved
* All versions prior to 20.4R3-S8-EVO;
* 21.1 version 21.1R1-EVO and later versions;
* 21.2 versions prior to 21.2R3-S5-EVO;
* 21.3 versions prior to 21.3R3-S4-EVO;
* 21.4 versions prior to 21.4R3-S3-EVO;
* 22.1 versions prior to 22.1R3-S2-EVO;
* 22.2 versions prior to 22.2R3-EVO;
* 22.3 versions prior to 22.3R2-S2-EVO;
* 22.4 versions prior to 22.4R1-S1-EVO;
CVSS Score
6.5
EPSS Score
0.0
Published
2023-10-12
An Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series allows a unauthenticated network-based attacker to cause an infinite loop, resulting in a Denial of Service (DoS).
An attacker who sends malformed TCP traffic via an interface configured with PPPoE, causes an infinite loop on the respective PFE. This results in consuming all resources and a manual restart is needed to recover.
This issue affects interfaces with PPPoE configured and tcp-mss enabled.
This issue affects Juniper Networks Junos OS
* All versions prior to 20.4R3-S7;
* 21.1 version 21.1R1 and later versions;
* 21.2 versions prior to 21.2R3-S6;
* 21.3 versions prior to 21.3R3-S5;
* 21.4 versions prior to 21.4R3-S3;
* 22.1 versions prior to 22.1R3-S4;
* 22.2 versions prior to 22.2R3;
* 22.3 versions prior to 22.3R2-S2;
* 22.4 versions prior to 22.4R2;
CVSS Score
7.5
EPSS Score
0.001
Published
2023-10-12
A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in telemetry processing of Juniper Networks Junos OS allows a network-based authenticated attacker to flood the system with multiple telemetry requests, causing the Junos Kernel Debugging Streaming Daemon (jkdsd) process to crash, leading to a Denial of Service (DoS). Continued receipt and processing of telemetry requests will repeatedly crash the jkdsd process and sustain the Denial of Service (DoS) condition.
This issue is seen on all Junos platforms. The crash is triggered when multiple telemetry requests come from different collectors. As the load increases, the Dynamic Rendering Daemon (drend) decides to defer processing and continue later, which results in a timing issue accessing stale memory, causing the jkdsd process to crash and restart.
Note: jkdsd is not shipped with SRX Series devices and therefore are not affected by this vulnerability.
This issue affects:
Juniper Networks Junos OS:
* 20.4 versions prior to 20.4R3-S9;
* 21.1 versions 21.1R1 and later;
* 21.2 versions prior to 21.2R3-S6;
* 21.3 versions prior to 21.3R3-S5;
* 21.4 versions prior to 21.4R3-S5;
* 22.1 versions prior to 22.1R3-S4;
* 22.2 versions prior to 22.2R3-S2;
* 22.3 versions prior to 22.3R2-S1, 22.3R3-S1;
* 22.4 versions prior to 22.4R2-S2, 22.4R3;
* 23.1 versions prior to 23.1R2.
This issue does not affect Juniper Networks Junos OS versions prior to 19.4R1.
CVSS Score
5.3
EPSS Score
0.001
Published
2023-10-11