CVE-2021-0205

Summary

When the "Intrusion Detection Service" (IDS) feature is configured on Juniper Networks MX series with a dynamic firewall filter using IPv6 source or destination prefix, it may incorrectly match the prefix as /32, causing the filter to block unexpected traffic. This issue affects only IPv6 prefixes when used as source and destination. This issue affects MX Series devices using MS-MPC, MS-MIC or MS-SPC3 service cards with IDS service configured. This issue affects: Juniper Networks Junos OS 17.3 versions prior to 17.3R3-S10 on MX Series; 17.4 versions prior to 17.4R3-S3 on MX Series; 18.1 versions prior to 18.1R3-S11 on MX Series; 18.2 versions prior to 18.2R3-S6 on MX Series; 18.3 versions prior to 18.3R3-S4 on MX Series; 18.4 versions prior to 18.4R3-S6 on MX Series; 19.1 versions prior to 19.1R2-S2, 19.1R3-S3 on MX Series; 19.2 versions prior to 19.2R3-S1 on MX Series; 19.3 versions prior to 19.3R2-S5, 19.3R3-S1 on MX Series; 19.4 versions prior to 19.4R3 on MX Series; 20.1 versions prior to 20.1R2 on MX Series; 20.2 versions prior to 20.2R2 on MX Series;

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS17.3 < 17.3R3-S10affected
Juniper NetworksJunos OS17.4 < 17.4R3-S3affected
Juniper NetworksJunos OS18.1 < 18.1R3-S11affected
Juniper NetworksJunos OS18.2 < 18.2R3-S6affected
Juniper NetworksJunos OS18.3 < 18.3R3-S4affected
Juniper NetworksJunos OS18.4 < 18.4R3-S6affected
Juniper NetworksJunos OS19.1 < 19.1R2-S2, 19.1R3-S3affected
Juniper NetworksJunos OS19.2 < 19.2R3-S1affected
Juniper NetworksJunos OS19.3 < 19.3R2-S5, 19.3R3-S1affected
Juniper NetworksJunos OS19.4 < 19.4R3affected
Juniper NetworksJunos OS20.1 < 20.1R2affected
Juniper NetworksJunos OS20.2 < 20.2R2affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

Workarounds

IDS configuration can be disabled.

ADP Enrichment

CVE Program Container

Additional References

References