CVE-2022-22194

Summary

An Improper Check for Unusual or Exceptional Conditions vulnerability in the packetIO daemon of Juniper Networks Junos OS Evolved on PTX10003, PTX10004, and PTX10008 allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). Continued receipt of these crafted packets will cause a sustained Denial of Service condition. This issue affects Juniper Networks Junos OS Evolved all versions prior to 20.4R2-S3-EVO on PTX10003, PTX10004, and PTX10008. This issue does not affect: Juniper Networks Junos OS Evolved versions 21.1R1-EVO and above; Juniper Networks Junos OS.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS Evolvedunspecified < 20.4R2-S3-EVO, 20.4R3-EVOaffected
Juniper NetworksJunos OS Evolved21.1R1-EVO < 21.1*unaffected
Juniper NetworksJunos OSanyunaffected

Weaknesses

  • CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions
  • Denial of Service (DoS)

Workarounds

One characteristic of this vulnerability is that an FPC restart will only be triggered by a crafted GRE packet which has its' TTL set to 0 or 1 so as a workaround a filter can be implemented that drops such packets:

set firewall family inet filter GREfilter term 1 from protocol gre set firewall family inet filter GREfilter term 1 from ttl 0 set firewall family inet filter GREfilter term 1 then count gre-ttl-0 set firewall family inet filter GREfilter term 1 then discard set firewall family inet filter GREfilter term 2 from protocol gre set firewall family inet filter GREfilter term 2 from ttl 1 set firewall family inet filter GREfilter term 2 then count gre-ttl-1 set firewall family inet filter GREfilter term 2 then discard set firewall family inet filter GREfilter term default then accept

An equivalent filter for family inet6 is required if IPv6 is configured on at least one interface.

ADP Enrichment

CVE Program Container

Additional References

References