CVE-2024-21612

Summary

An Improper Handling of Syntactically Invalid Structure vulnerability in Object Flooding Protocol (OFP) service of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).

On all Junos OS Evolved platforms, when specific TCP packets are received on an open OFP port, the OFP crashes leading to a restart of Routine Engine (RE). Continuous receipt of these specific TCP packets will lead to a sustained Denial of Service (DoS) condition.

This issue affects:

Juniper Networks Junos OS Evolved

  • All versions earlier than 21.2R3-S7-EVO;
  • 21.3 versions earlier than 21.3R3-S5-EVO ;
  • 21.4 versions earlier than 21.4R3-S5-EVO;
  • 22.1 versions earlier than 22.1R3-S4-EVO;
  • 22.2 versions earlier than 22.2R3-S3-EVO ;
  • 22.3 versions earlier than 22.3R3-EVO;
  • 22.4 versions earlier than 22.4R2-EVO, 22.4R3-EVO.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS Evolved0 < 21.2R3-S7-EVOaffected
Juniper NetworksJunos OS Evolved21.3 < 21.3R3-S5-EVOaffected
Juniper NetworksJunos OS Evolved21.4 < 21.4R3-S5-EVOaffected
Juniper NetworksJunos OS Evolved22.1 < 22.1R3-S4-EVOaffected
Juniper NetworksJunos OS Evolved22.2 < 22.2R3-S3-EVOaffected
Juniper NetworksJunos OS Evolved22.3 < 22.3R3-EVOaffected
Juniper NetworksJunos OS Evolved22.4 < 22.4R2-EVO, 22.4R3-EVOaffected

Weaknesses

  • CWE-228: CWE-228: Improper Handling of Syntactically Invalid Structure
  • Denial of Service (DoS)

Workarounds

In order to prevent this issue, following firewall filter needs to be added for each OFP port.

[ firewall family inet filter mgmt-filter term discard_ofp from protocol tcp ] [ firewall family inet filter mgmt-filter term discard_ofp from destination-port <ofp_port_1> ] [ firewall family inet filter mgmt-filter term discard_ofp from destination-port <ofp_port_2> ] [ firewall family inet filter mgmt-filter term discard_ofp then discard ] [ firewall family inet filter mgmt-filter term 2 then accept ]

[ interfaces re0:mgmt-0 unit 0 family inet filter input mgmt-filter ] [ interfaces re1:mgmt-0 unit 0 family inet filter input mgmt-filter ]

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References