Vulnerability for Improper Handling of Exception Conditions on specifics Juniper Networks Products (20th July 2022)

Preface: Common JUNOS daemons include:

  • The routing protocol daemon (rpd) handles all routing protocol messages and routing table updates and implements routing policies. rpd contains modules that each function independently while sharing information with the others.
  • The device control daemon (dcd) manages all interface devices and configurations. This daemon sends configurations to the kernel to create interfaces. Each configuration has a unique interface index number, common throughout the system.
  • The packet forwarding daemon (pfed) handles communication between the Packet Forwarding Engine and the Routing Engine.
  • The management daemon (mgd) controls all user access to the router.
  • The chassis daemon (chassisd) controls the properties of the router itself, including interactions between the Packet Forwarding Engine’s passive midplane, the Flexible PIC Concentrator (FPC) that connects the switching control board to the router’s interfaces in the Packet Forwarding Engine, and other control boards.

Background: VXLAN is an encapsulation protocol that provides data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network. In data centers, VXLAN is the most commonly used protocol to create overlay networks that sit on top of the physical network, enabling the use of virtual networks.

Vulnerability details: An Improper Handling of Exceptional Conditions vulnerability on specific PTX Series devices, including the PTX1000, PTX3000 (NextGen), PTX5000, PTX10002-60C, PTX10008, and PTX10016 Series, in Juniper Networks Junos OS allows an unauthenticated MPLS-based attacker to cause a Denial of Service (DoS) by triggering the dcpfe process to crash and FPC to restart.

Official announcement: Please see the link for details – https://supportportal.juniper.net/s/article/2022-07-Security-Bulletin-Junos-OS-PTX-Series-FPCs-may-restart-unexpectedly-upon-receipt-of-specific-MPLS-packets-with-certain-multi-unit-interface-configurations-CVE-2022-22202?language=en_US

Ref:

In normal circumstance, a network device, system and method are provided for detection of mismatched VLAN tags on a port of a network chip and a packet. The network device includes a processor, a memory and a network chip having a number of network ports. One of the ports is tagged with a VLAN membership of at least one particular VLAN and configured to receive a packet. Computer executable instructions are storable in the memory and executable by the processor to detect whether the packet received at the port is untagged with any VLAN. Upon detecting that the packet is untagged with any VLAN, the computer executable instructions determine whether the untagged packet is intended to be untagged on the particular VLAN at the port. If the packet is not intended to be untagged on the particular VLAN at the port, the computer executable instructions send a misconfiguration alert signal to a network management program, and determine either the packet is misconfigured to be sent to the network chip without a VLAN tag or the port of the network chip is misconfigured to be tagged with the particular VLAN.
According to this CVE. It looks that the flaw came from detection system daemon.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.