CVE-2024-21612
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
An Improper Handling of Syntactically Invalid Structure vulnerability in Object Flooding Protocol (OFP) service of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).
On all Junos OS Evolved platforms, when specific TCP packets are received on an open OFP port, the OFP crashes leading to a restart of Routine Engine (RE). Continuous receipt of these specific TCP packets will lead to a sustained Denial of Service (DoS) condition.
This issue affects:
Juniper Networks Junos OS Evolved
- All versions earlier than 21.2R3-S7-EVO;
- 21.3 versions earlier than 21.3R3-S5-EVO ;
- 21.4 versions earlier than 21.4R3-S5-EVO;
- 22.1 versions earlier than 22.1R3-S4-EVO;
- 22.2 versions earlier than 22.2R3-S3-EVO ;
- 22.3 versions earlier than 22.3R3-EVO;
- 22.4 versions earlier than 22.4R2-EVO, 22.4R3-EVO.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS Evolved | 0 < 21.2R3-S7-EVO | affected |
| Juniper Networks | Junos OS Evolved | 21.3 < 21.3R3-S5-EVO | affected |
| Juniper Networks | Junos OS Evolved | 21.4 < 21.4R3-S5-EVO | affected |
| Juniper Networks | Junos OS Evolved | 22.1 < 22.1R3-S4-EVO | affected |
| Juniper Networks | Junos OS Evolved | 22.2 < 22.2R3-S3-EVO | affected |
| Juniper Networks | Junos OS Evolved | 22.3 < 22.3R3-EVO | affected |
| Juniper Networks | Junos OS Evolved | 22.4 < 22.4R2-EVO, 22.4R3-EVO | affected |
Weaknesses
- CWE-228: CWE-228: Improper Handling of Syntactically Invalid Structure
- Denial of Service (DoS)
Workarounds
In order to prevent this issue, following firewall filter needs to be added for each OFP port.
[ firewall family inet filter mgmt-filter term discard_ofp from protocol tcp ] [ firewall family inet filter mgmt-filter term discard_ofp from destination-port <ofp_port_1> ] [ firewall family inet filter mgmt-filter term discard_ofp from destination-port <ofp_port_2> ] [ firewall family inet filter mgmt-filter term discard_ofp then discard ] [ firewall family inet filter mgmt-filter term 2 then accept ]
[ interfaces re0:mgmt-0 unit 0 family inet filter input mgmt-filter ] [ interfaces re1:mgmt-0 unit 0 family inet filter input mgmt-filter ]
ADP Enrichment
CVE Program Container
Additional References
- https://supportportal.juniper.net/JSA75753
- https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://supportportal.juniper.net/JSA75753
- https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.