CVE-2022-22167

Summary

A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. While JDPI correctly classifies out-of-state asymmetric TCP flows as the dynamic-application UNKNOWN, this classification is not provided to the policy module properly and hence traffic continues to use the pre-id-default-policy, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R2-S2, 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS18.4 < 18.4R2-S10, 18.4R3-S10affected
Juniper NetworksJunos OS19.1 < 19.1R3-S8affected
Juniper NetworksJunos OS19.2 < 19.2R1-S8, 19.2R3-S4affected
Juniper NetworksJunos OS19.3 < 19.3R3-S3affected
Juniper NetworksJunos OS19.4 < 19.4R3-S5affected
Juniper NetworksJunos OS20.1 < 20.1R3-S1affected
Juniper NetworksJunos OS20.2 < 20.2R3-S2affected
Juniper NetworksJunos OS20.3 < 20.3R3-S1affected
Juniper NetworksJunos OS20.4 < 20.4R2-S2, 20.4R3affected
Juniper NetworksJunos OS21.1 < 21.1R2-S2, 21.1R3affected
Juniper NetworksJunos OS21.2 < 21.2R2affected
Juniper NetworksJunos OSunspecified < 18.4R1unaffected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

Workarounds

Any of the following workarounds will mitigate this issue:

  1. Remove 'security flow tcp-session no-syn-check' from the configuration.

2: Enable AppID cache configuration: set services application-identification application-system-cache security-services

ADP Enrichment

CVE Program Container

Additional References

References