// For flags

CVE-2022-22209

Junos OS: RIB and PFEs can get out of sync due to a memory leak caused by interface flaps or route churn

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A Missing Release of Memory after Effective Lifetime vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated network based attacker to cause a Denial of Service (DoS). On all Junos platforms, the Kernel Routing Table (KRT) queue can get stuck due to a memory leak triggered by interface flaps or route churn leading to RIB and PFEs getting out of sync. The memory leak causes RTNEXTHOP/route and next-hop memory pressure issue and the KRT queue will eventually get stuck with the error- 'ENOMEM -- Cannot allocate memory'. The out-of-sync state between RIB and FIB can be seen with the "show route" and "show route forwarding-table" command. This issue will lead to failures for adding new routes. The KRT queue status can be checked using the CLI command "show krt queue": user@host > show krt state High-priority add queue: 1 queued ADD nhtype Router index 0 (31212) error 'ENOMEM -- Cannot allocate memory' kqp '0x8ad5e40' The following messages will be observed in /var/log/messages, which indicate high memory for routes/nexthops: host rpd[16279]: RPD_RT_HWM_NOTICE: New RIB highwatermark for routes: 266 [2022-03-04 05:06:07] host rpd[16279]: RPD_KRT_Q_RETRIES: nexthop ADD: Cannot allocate memory host rpd[16279]: RPD_KRT_Q_RETRIES: nexthop ADD: Cannot allocate memory host kernel: rts_veto_net_delayed_unref_limit: Route/nexthop memory is severe pressure. User Application to perform recovery actions. O p 8 err 12, rtsm_id 0:-1, msg type 10, veto simulation: 0. host kernel: rts_veto_net_delayed_unref_limit: Memory usage of M_RTNEXTHOP type = (806321208) Max size possible for M_RTNEXTHOP type = (689432176) Current delayed unref = (0), Max delayed unref on this platform = (120000) Current delayed weight unref = (0) Max delayed weight unref on this platform = (400000) curproc = rpd. This issue affects: Juniper Networks Junos OS 21.2 versions prior to 21.2R3; 21.3 versions prior to 21.3R2-S1, 21.3R3; 21.4 versions prior to 21.4R1-S2, 21.4R2; This issue does not affect Juniper Networks Junos OS versions prior to 21.2R1.

Una vulnerabilidad de Falta de Liberación de Memoria después del Tiempo de Vida Efectivo en el kernel de Junos OS de Juniper Networks permite a un atacante no autenticado basado en la red causar una Denegación de Servicio (DoS). En todas las plataformas Junos, la cola de la tabla de enrutamiento del núcleo (KRT) puede atascarse debido a una pérdida de memoria desencadenada por las solapas de la interfaz o el cambio de rutas, lo que conlleva a una desincronización de las RIB y las PFE. La fuga de memoria causa un problema de presión de memoria en RTNEXTHOP/ruta y en el siguiente salto y la cola de KRT se atascará finalmente con el error "ENOMEM -- Cannot allocate memory". El estado de desincronización entre la RIB y la FIB puede verse con el comando "show route" y "show route forwarding-table". Este problema conlleva a fallos al añadir nuevas rutas. El estado de la cola KRT puede comprobarse mediante el comando CLI "show krt queue": user@host ) show krt state High-priority add queue: 1 queued ADD nhtype Router index 0 (31212) error 'ENOMEM -- Cannot allocate memory' kqp '0x8ad5e40' Serán observados los siguientes mensajes en /var/log/messages, que indican una memoria elevada para las rutas/nexthops: host rpd[16279]: RPD_RT_HWM_NOTICE: Nueva memoria alta RIB para rutas: 266 [2022-03-04 05:06:07] host rpd[16279]: RPD_KRT_Q_RETRIES: nexthop ADD: No puede asignarse memoria host rpd[16279]: RPD_KRT_Q_RETRIES: nexthop ADD: No puede asignarse memoria al host kernel: rts_veto_net_delayed_unref_limit: La memoria de la ruta/nexthop está sometida a una fuerte presión. Aplicación de usuario para llevar a cabo acciones de recuperación. O p 8 err 12, rtsm_id 0:-1, msg type 10, veto simulation: 0. kernel del host: rts_veto_net_delayed_unref_limit: Uso de la memoria del tipo M_RTNEXTHOP = (806321208) Tamaño máximo posible para el tipo M_RTNEXTHOP = (689432176) Unref retrasado actual = (0), Unref retrasado máximo en esta plataforma = (120000) Unref de peso retrasado actual = (0) Unref de peso retrasado máximo en esta plataforma = (400000) curproc = rpd. Este problema afecta a: Juniper Networks Junos OS 21.2 versiones anteriores a 21.2R3; 21.3 versiones anteriores a 21.3R2-S1, 21.3R3; 21.4 versiones anteriores a 21.4R1-S2, 21.4R2; Este problema no afecta a versiones de Juniper Networks Junos OS anteriores a 21.2R1

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-12-21 CVE Reserved
  • 2022-07-20 CVE Published
  • 2023-12-31 EPSS Updated
  • 2024-09-17 CVE Updated
  • 2024-09-17 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://kb.juniper.net/JSA69713 2024-09-17
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.2
Search vendor "Juniper" for product "Junos" and version "21.2"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.2
Search vendor "Juniper" for product "Junos" and version "21.2"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.2
Search vendor "Juniper" for product "Junos" and version "21.2"
r1-s1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.2
Search vendor "Juniper" for product "Junos" and version "21.2"
r1-s2
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.2
Search vendor "Juniper" for product "Junos" and version "21.2"
r2
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.2
Search vendor "Juniper" for product "Junos" and version "21.2"
r2-s1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.2
Search vendor "Juniper" for product "Junos" and version "21.2"
r2-s2
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.3
Search vendor "Juniper" for product "Junos" and version "21.3"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.3
Search vendor "Juniper" for product "Junos" and version "21.3"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.3
Search vendor "Juniper" for product "Junos" and version "21.3"
r1-s1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.3
Search vendor "Juniper" for product "Junos" and version "21.3"
r1-s2
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.3
Search vendor "Juniper" for product "Junos" and version "21.3"
r2
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.4
Search vendor "Juniper" for product "Junos" and version "21.4"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.4
Search vendor "Juniper" for product "Junos" and version "21.4"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
21.4
Search vendor "Juniper" for product "Junos" and version "21.4"
r1-s1
Affected