CVE-2021-0228
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
An improper check for unusual or exceptional conditions vulnerability in Juniper Networks MX Series platforms with Trio-based MPC (Modular Port Concentrator) deployed in (Ethernet VPN) EVPN-(Virtual Extensible LAN) VXLAN configuration, may allow an attacker sending specific Layer 2 traffic to cause Distributed Denial of Service (DDoS) protection to trigger unexpectedly, resulting in traffic impact. Continued receipt and processing of this specific Layer 2 frames will sustain the Denial of Service (DoS) condition. An indication of compromise is to check DDOS LACP violations: user@device> show ddos-protection protocols statistics brief | match lacp This issue only affects the MX Series platforms with Trio-based MPC. No other products or platforms are affected. This issue affects: Juniper Networks Junos OS on MX Series: 15.1 versions prior to 15.1R7-S9; 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R2-S8, 18.2R3-S8; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S7, 18.4R3-S7; 19.1 versions prior to 19.1R3-S4; 19.2 versions prior to 19.2R1-S6; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R2-S4, 19.4R3-S2; 20.1 versions prior to 20.1R2, 20.1R3; 20.2 versions prior to 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S1, 20.3R2;
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 15.1 < 15.1R7-S9 | affected |
| Juniper Networks | Junos OS | 17.3 < 17.3R3-S11 | affected |
| Juniper Networks | Junos OS | 17.4 < 17.4R3-S4 | affected |
| Juniper Networks | Junos OS | 18.1 < 18.1R3-S12 | affected |
| Juniper Networks | Junos OS | 18.2 < 18.2R2-S8, 18.2R3-S8 | affected |
| Juniper Networks | Junos OS | 18.3 < 18.3R3-S4 | affected |
| Juniper Networks | Junos OS | 18.4 < 18.4R1-S8, 18.4R2-S7, 18.4R3-S7 | affected |
| Juniper Networks | Junos OS | 19.1 < 19.1R3-S4 | affected |
| Juniper Networks | Junos OS | 19.2 < 19.2R1-S6 | affected |
| Juniper Networks | Junos OS | 19.3 < 19.3R3-S2 | affected |
| Juniper Networks | Junos OS | 19.4 < 19.4R2-S4, 19.4R3-S2 | affected |
| Juniper Networks | Junos OS | 20.1 < 20.1R2, 20.1R3 | affected |
| Juniper Networks | Junos OS | 20.2 < 20.2R2-S1, 20.2R3 | affected |
| Juniper Networks | Junos OS | 20.3 < 20.3R1-S1, 20.3R2 | affected |
Weaknesses
- CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions
Workarounds
DDoS for LACP can be disabled:
set system ddos-protection protocols lacp aggregate disable-routing-engine set system ddos-protection protocols lacp aggregate disable-fpc
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.