CVE-2023-44184

Summary

An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the management daemon (mgd) process of Juniper Networks Junos OS and Junos OS Evolved allows a network-based authenticated low-privileged attacker, by executing a specific command via NETCONF, to cause a CPU Denial of Service to the device's control plane.

This issue affects:

Juniper Networks Junos OS

  • All versions prior to 20.4R3-S7;
  • 21.2 versions prior to 21.2R3-S5;
  • 21.3 versions prior to 21.3R3-S5;
  • 21.4 versions prior to 21.4R3-S4;
  • 22.1 versions prior to 22.1R3-S2;
  • 22.2 versions prior to 22.2R3;
  • 22.3 versions prior to 22.3R2-S1, 22.3R3;
  • 22.4 versions prior to 22.4R1-S2, 22.4R2.

Juniper Networks Junos OS Evolved

  • All versions prior to 21.4R3-S4-EVO;
  • 22.1 versions prior to 22.1R3-S2-EVO;
  • 22.2 versions prior to 22.2R3-EVO;
  • 22.3 versions prior to 22.3R3-EVO;
  • 22.4 versions prior to 22.4R2-EVO.

An indicator of compromise can be seen by first determining if the NETCONF client is logged in and fails to log out after a reasonable period of time and secondly reviewing the WCPU percentage for the mgd process by running the following command:

mgd process example:

user@device-re#> show system processes extensive | match "mgd|PID" | except last PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND 92476 root 100 0 500M 89024K CPU3 3 57.5H 89.60% mgd <<<<<<<<<<< review the high cpu percentage. Example to check for NETCONF activity:

While there is no specific command that shows a specific session in use for NETCONF, you can review logs for UI_LOG_EVENT with "client-mode 'netconf'"

For example:

mgd[38121]: UI_LOGIN_EVENT: User 'root' login, class 'super-user' [38121], ssh-connection '10.1.1.1 201 55480 10.1.1.2 22', client-mode 'netconf'

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS0 < 20.4R3-S7affected
Juniper NetworksJunos OS21.1 < 21.1R1affected
Juniper NetworksJunos OS21.2 < 21.2R3-S5affected
Juniper NetworksJunos OS21.3 < 21.3R3-S5affected
Juniper NetworksJunos OS21.4 < 21.4R3-S4affected
Juniper NetworksJunos OS22.1 < 22.1R3-S2affected
Juniper NetworksJunos OS22.2 < 22.2R3affected
Juniper NetworksJunos OS22.3 < 22.3R2-S1, 22.3R3affected
Juniper NetworksJunos OS22.4 < 22.4R1-S2, 22.4R2affected
Juniper NetworksJunos OS Evolved0 < 21.4R3-S4-EVOaffected
Juniper NetworksJunos OS Evolved22.1 < 22.1R3-S2-EVOaffected
Juniper NetworksJunos OS Evolved22.2 < 22.2R3-EVOaffected
Juniper NetworksJunos OS Evolved22.3 < 22.3R3-EVOaffected
Juniper NetworksJunos OS Evolved22.4 < 22.4R2-EVOaffected

Weaknesses

  • CWE-119: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Workarounds

There are no known workarounds for this issue.

The impact of this issue may be temporarily cleared by periodically restarting the management daemon.

To reduce the risk of exploitation enable access control lists (ACLs) and other filtering mechanisms to limit access to the device only from trusted hosts and networks to the NETCONF service.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References