CVE-2023-22400

Summary

An Uncontrolled Resource Consumption vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause an FPC crash leading to a Denial of Service (DoS). When a specific SNMP GET operation or a specific CLI command is executed this will cause a GUID resource leak, eventually leading to exhaustion and result in an FPC crash and reboot. GUID exhaustion will trigger a syslog message like one of the following for example: evo-pfemand[<pid>]: get_next_guid: Ran out of Guid Space … evo-aftmand-zx[<pid>]: get_next_guid: Ran out of Guid Space … This leak can be monitored by running the following command and taking note of the value in the rightmost column labeled Guids: user@host> show platform application-info allocations app evo-pfemand | match "IFDId|IFLId|Context" Node Application Context Name Live Allocs Fails Guids re0 evo-pfemand net::juniper::interfaces::IFDId 0 3448 0 3448 re0 evo-pfemand net::juniper::interfaces::IFLId 0 561 0 561 user@host> show platform application-info allocations app evo-pfemand | match "IFDId|IFLId|Context" Node Application Context Name Live Allocs Fails Guids re0 evo-pfemand net::juniper::interfaces::IFDId 0 3784 0 3784 re0 evo-pfemand net::juniper::interfaces::IFLId 0 647 0 647 This issue affects Juniper Networks Junos OS Evolved: All versions prior to 20.4R3-S3-EVO; 21.1-EVO version 21.1R1-EVO and later versions; 21.2-EVO versions prior to 21.2R3-S4-EVO; 21.3-EVO version 21.3R1-EVO and later versions; 21.4-EVO versions prior to 21.4R2-EVO.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS Evolvedunspecified < 20.4R3-S3-EVOaffected
Juniper NetworksJunos OS Evolved21.1R1-EVO < 21.1-EVO*affected
Juniper NetworksJunos OS Evolved21.2-EVO < 21.2R3-S4-EVOaffected
Juniper NetworksJunos OS Evolved21.3R1-EVO < 21.3-EVO*affected
Juniper NetworksJunos OS Evolved21.4-EVO < 21.4R2-EVOaffected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption
  • Denial of Service (DoS)

Workarounds

There are no known workarounds for this issue.

To reduce the risk of exploitation of this issue, use access lists or firewall filters to limit access to only trusted networks, hosts and users.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References