CVE-2022-22170 – Junos OS: Specific packets over VXLAN cause FPC memory leak and ultimately reset
https://notcve.org/view.php?id=CVE-2022-22170
A Missing Release of Resource after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause a Denial of Service (DoS) by sending specific packets over VXLAN which cause heap memory to leak and on exhaustion the PFE to reset. The heap memory utilization can be monitored with the command: user@host> show chassis fpc This issue affects: Juniper Networks Junos OS 19.4 versions prior to 19.4R2-S6, 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect versions of Junos OS prior to 19.4R1. Una vulnerabilidad de Falta de Liberación de Recursos Después del Tiempo de Vida Efectivo en el Motor de Reenvío de Paquetes (PFE) del Sistema Operativo Junos de Juniper Networks permite a un atacante no autenticado en red causar una denegación de servicio (DoS) mediante el envío de paquetes específicos a través de VXLAN que causan una pérdida de memoria de la pila y, al agotarse, el PFE es reiniciado. El uso de la memoria de la pila puede supervisarse con el comando: user@host) show chassis fpc Este problema afecta a: Juniper Networks Junos OS 19.4 versiones anteriores a 19.4R2-S6, 19.4R3-S6; 20.1 versiones anteriores a 20.1R3-S2; versiones 20.2 anteriores a 20.2R3-S3; versiones 20.3 anteriores a 20.3R3-S1; versiones 20.4 anteriores a 20.4R3; versiones 21.1 anteriores a 21.1R3; versiones 21.2 anteriores a 21.2R2. • https://kb.juniper.net/JSA11277 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2022-22169 – Junos OS and Junos OS Evolved: OSPFv3 session might go into INIT state upon receipt of multiple crafted packets from a trusted neighbor device.
https://notcve.org/view.php?id=CVE-2022-22169
An Improper Initialization vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an attacker who sends specific packets in certain orders and at specific timings to force OSPFv3 to unexpectedly enter graceful-restart (GR helper mode) even though there is not any Grace-LSA received in OSPFv3 causing a Denial of Service (DoS). Unexpectedly entering GR helper mode might cause the OSPFv3 neighbor adjacency formed on this interface to be stuck in the "INIT" state which can be observed by issuing the following command: user@device> show ospf3 neighbor ID Interface State xx.xx.xx.xx ae100.0 Init <<<<<<<<<< An indicator of compromise can be seen in log files when traceoptions for OSPFv3 are enabled before the issue occurs. These logfile messages are as follows: OSPF restart signaling: Received hello with LR bit set from nbr ip=xx::xx id=xx.xx.xx.xx. Set oob-resync capabilty 1. OSPF Restart Signaling: Start helper mode for nbr ip xx::xx id xx.xx.xx.xx OSPF restart signaling: abort helper mode for nbr ip=xx::xx id=xx.xx.xx.xx OSPF neighbor xx::xx (realm ipv6-unicast <interface.unit> area xx.xx.xx.xx) state changed from Full to Init due to 1WayRcvd (event reason: neighbor is in one-way mode) (nbr helped: 0) This issue affects: Juniper Networks Junos OS. 15.1 versions prior to 15.1R7-S11; 18.3 versions prior to 18.3R3-S6; 18.4 versions prior to 18.4R2-S9, 18.4R3-S10; 19.1 versions prior to 19.1R2-S3, 19.1R3-S7; 19.2 versions prior to 19.2R1-S7, 19.2R3-S4; 19.3 versions prior to 19.3R2-S7, 19.3R3-S4; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2. • https://kb.juniper.net/JSA11276 • CWE-665: Improper Initialization •
CVE-2022-22168 – Junos OS: vMX and MX150: Specific packets might cause a memory leak and eventually an FPC reboot
https://notcve.org/view.php?id=CVE-2022-22168
An Improper Validation of Specified Type of Input vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated adjacent attacker to trigger a Missing Release of Memory after Effective Lifetime vulnerability. Continued exploitation of this vulnerability will eventually lead to an FPC reboot and thereby a Denial of Service (DoS). This issue affects: Juniper Networks Junos OS on vMX and MX150: All versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S5; 19.4 versions prior to 19.4R2-S5, 19.4R3-S6; 20.1 versions prior to 20.1R3-S2; 20.2 versions prior to 20.2R3-S3; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2-S1, 21.1R3; 21.2 versions prior to 21.2R1-S1, 21.2R2; 21.3 versions prior to 21.3R1-S1, 21.3R2. Una vulnerabilidad de Comprobación Inapropiada del Tipo de Entrada especificado en el kernel del Sistema Operativo Junos de Juniper Networks permite a un atacante adyacente no autenticado desencadenar una vulnerabilidad de Falta de Liberación de Memoria Después del Tiempo de Vida Efectivo. Una explotación continuada de esta vulnerabilidad conllevará finalmente a un reinicio del FPC y, por tanto, una denegación de servicio (DoS). • https://kb.juniper.net/JSA11275 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-1287: Improper Validation of Specified Type of Input •
CVE-2022-22167 – Junos OS: SRX Series: If no-syn-check is enabled, traffic classified as UNKNOWN gets permitted by pre-id-default-policy
https://notcve.org/view.php?id=CVE-2022-22167
A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. While JDPI correctly classifies out-of-state asymmetric TCP flows as the dynamic-application UNKNOWN, this classification is not provided to the policy module properly and hence traffic continues to use the pre-id-default-policy, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R2-S2, 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1. • https://kb.juniper.net/JSA11265 • CWE-863: Incorrect Authorization •
CVE-2022-22166 – Junos OS: An rpd core will occur if BGP update tracing is configured and an update containing a malformed BGP SR-TE policy tunnel attribute is received
https://notcve.org/view.php?id=CVE-2022-22166
An Improper Validation of Specified Quantity in Input vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause an rdp crash and thereby a Denial of Service (DoS). If a BGP update message is received over an established BGP session where a BGP SR-TE policy tunnel attribute is malformed and BGP update tracing flag is enabled, the rpd will core. This issue can happen with any BGP session as long as the previous conditions are met. This issue can not propagate as the crash occurs as soon as the malformed update is received. This issue affects Juniper Networks Junos OS: 20.4 versions prior to 20.4R3-S1; 21.1 versions prior to 21.1R2-S2, 21.1R3. • https://kb.juniper.net/JSA11274 • CWE-1284: Improper Validation of Specified Quantity in Input •