cve-2023-22397
Vulnerability from cvelistv5
Published
2023-01-12 00:00
Modified
2024-08-02 10:07
Severity ?
EPSS score ?
Summary
Junos OS Evolved: PTX10003: An attacker sending specific genuine packets will cause a memory leak in the PFE leading to a Denial of Service
References
▼ | URL | Tags | |
---|---|---|---|
sirt@juniper.net | https://kb.juniper.net/JSA70193 | Vendor Advisory |
Impacted products
▼ | Vendor | Product |
---|---|---|
Juniper Networks | Junos OS Evolved |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T10:07:06.643Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://kb.juniper.net/JSA70193" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "platforms": [ "PTX10003" ], "product": "Junos OS Evolved", "vendor": "Juniper Networks", "versions": [ { "lessThan": "20.4R3-S4-EVO", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "21.3R3-S1-EVO", "status": "affected", "version": "21.3", "versionType": "custom" }, { "lessThan": "21.4R2-S2-EVO, 21.4R3-EVO", "status": "affected", "version": "21.4", "versionType": "custom" }, { "lessThan": "22.1R1-S2-EVO, 22.1R2-EVO", "status": "affected", "version": "22.1", "versionType": "custom" }, { "lessThan": "22.2R2-EVO", "status": "affected", "version": "22.2", "versionType": "custom" } ] } ], "configurations": [ { "lang": "en", "value": "The following is the minimal configuration necessary to be affected by this issue: \n\n [protocols pim interface \u003cinterface-name\u003e]" } ], "datePublic": "2023-01-11T00:00:00", "descriptions": [ { "lang": "en", "value": "An Allocation of Resources Without Limits or Throttling weakness in the memory management of the Packet Forwarding Engine (PFE) on Juniper Networks Junos OS Evolved PTX10003 Series devices allows an adjacently located attacker who has established certain preconditions and knowledge of the environment to send certain specific genuine packets to begin a Time-of-check Time-of-use (TOCTOU) Race Condition attack which will cause a memory leak to begin. Once this condition begins, and as long as the attacker is able to sustain the offending traffic, a Distributed Denial of Service (DDoS) event occurs. As a DDoS event, the offending packets sent by the attacker will continue to flow from one device to another as long as they are received and processed by any devices, ultimately causing a cascading outage to any vulnerable devices. Devices not vulnerable to the memory leak will process and forward the offending packet(s) to neighboring devices. Due to internal anti-flood security controls and mechanisms reaching their maximum limit of response in the worst-case scenario, all affected Junos OS Evolved devices will reboot in as little as 1.5 days. Reboots to restore services cannot be avoided once the memory leak begins. The device will self-recover after crashing and rebooting. Operator intervention isn\u0027t required to restart the device. This issue affects: Juniper Networks Junos OS Evolved on PTX10003: All versions prior to 20.4R3-S4-EVO; 21.3 versions prior to 21.3R3-S1-EVO; 21.4 versions prior to 21.4R2-S2-EVO, 21.4R3-EVO; 22.1 versions prior to 22.1R1-S2-EVO, 22.1R2-EVO; 22.2 versions prior to 22.2R2-EVO. To check memory, customers may VTY to the PFE first then execute the following show statement: show jexpr jtm ingress-main-memory chip 255 | no-more Alternatively one may execute from the RE CLI: request pfe execute target fpc0 command \"show jexpr jtm ingress-main-memory chip 255 | no-more\" Iteration 1: Example output: Mem type: NH, alloc type: JTM 136776 bytes used (max 138216 bytes used) 911568 bytes available (909312 bytes from free pages) Iteration 2: Example output: Mem type: NH, alloc type: JTM 137288 bytes used (max 138216 bytes used) 911056 bytes available (909312 bytes from free pages) The same can be seen in the CLI below, assuming the scale does not change: show npu memory info Example output: FPC0:NPU16 mem-util-jnh-nh-size 2097152 FPC0:NPU16 mem-util-jnh-nh-allocated 135272 FPC0:NPU16 mem-util-jnh-nh-utilization 6" } ], "exploits": [ { "lang": "en", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "description": "Denial of Service (DoS)", "lang": "en", "type": "text" } ] }, { "descriptions": [ { "description": "Distributed Denial of Service (DoS)", "lang": "en", "type": "text" } ] }, { "descriptions": [ { "description": "Memory Leak", "lang": "en", "type": "text" } ] }, { "descriptions": [ { "cweId": "CWE-367", "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-01-12T00:00:00", "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper" }, "references": [ { "url": "https://kb.juniper.net/JSA70193" } ], "solutions": [ { "lang": "en", "value": "The following software releases have been updated to resolve these specific issues: Junos OS Evolved: 20.4R3-S4-EVO, 21.3R3-S1-EVO, 21.4R2-S2-EVO, 21.4R3-EVO, 22.1R1-S2-EVO, 22.1R2-EVO, 22.1R3-EVO, 22.2R1-S1-EVO, 22.2R2-EVO, 22.3R1-EVO, and all subsequent releases.\n" } ], "source": { "advisory": "JSA70193", "defect": [ "1670829" ], "discovery": "USER" }, "title": "Junos OS Evolved: PTX10003: An attacker sending specific genuine packets will cause a memory leak in the PFE leading to a Denial of Service", "workarounds": [ { "lang": "en", "value": "There are no known workarounds for this issue. \n\nTo reduce impact due to unplanned reboots customers may review memory thresholds as above and decide to reboot devices proactively to clear memory during planned maintenance windows.\n " } ], "x_generator": { "engine": "Vulnogram 0.0.9" } } }, "cveMetadata": { "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "assignerShortName": "juniper", "cveId": "CVE-2023-22397", "datePublished": "2023-01-12T00:00:00", "dateReserved": "2022-12-27T00:00:00", "dateUpdated": "2024-08-02T10:07:06.643Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-22397\",\"sourceIdentifier\":\"sirt@juniper.net\",\"published\":\"2023-01-13T00:15:10.273\",\"lastModified\":\"2023-01-24T18:56:10.787\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An Allocation of Resources Without Limits or Throttling weakness in the memory management of the Packet Forwarding Engine (PFE) on Juniper Networks Junos OS Evolved PTX10003 Series devices allows an adjacently located attacker who has established certain preconditions and knowledge of the environment to send certain specific genuine packets to begin a Time-of-check Time-of-use (TOCTOU) Race Condition attack which will cause a memory leak to begin. Once this condition begins, and as long as the attacker is able to sustain the offending traffic, a Distributed Denial of Service (DDoS) event occurs. As a DDoS event, the offending packets sent by the attacker will continue to flow from one device to another as long as they are received and processed by any devices, ultimately causing a cascading outage to any vulnerable devices. Devices not vulnerable to the memory leak will process and forward the offending packet(s) to neighboring devices. Due to internal anti-flood security controls and mechanisms reaching their maximum limit of response in the worst-case scenario, all affected Junos OS Evolved devices will reboot in as little as 1.5 days. Reboots to restore services cannot be avoided once the memory leak begins. The device will self-recover after crashing and rebooting. Operator intervention isn\u0027t required to restart the device. This issue affects: Juniper Networks Junos OS Evolved on PTX10003: All versions prior to 20.4R3-S4-EVO; 21.3 versions prior to 21.3R3-S1-EVO; 21.4 versions prior to 21.4R2-S2-EVO, 21.4R3-EVO; 22.1 versions prior to 22.1R1-S2-EVO, 22.1R2-EVO; 22.2 versions prior to 22.2R2-EVO. To check memory, customers may VTY to the PFE first then execute the following show statement: show jexpr jtm ingress-main-memory chip 255 | no-more Alternatively one may execute from the RE CLI: request pfe execute target fpc0 command \\\"show jexpr jtm ingress-main-memory chip 255 | no-more\\\" Iteration 1: Example output: Mem type: NH, alloc type: JTM 136776 bytes used (max 138216 bytes used) 911568 bytes available (909312 bytes from free pages) Iteration 2: Example output: Mem type: NH, alloc type: JTM 137288 bytes used (max 138216 bytes used) 911056 bytes available (909312 bytes from free pages) The same can be seen in the CLI below, assuming the scale does not change: show npu memory info Example output: FPC0:NPU16 mem-util-jnh-nh-size 2097152 FPC0:NPU16 mem-util-jnh-nh-allocated 135272 FPC0:NPU16 mem-util-jnh-nh-utilization 6\"},{\"lang\":\"es\",\"value\":\"Una asignaci\u00f3n de recursos sin l\u00edmites o debilidad de limitaci\u00f3n en la gesti\u00f3n de memoria del motor de reenv\u00edo de paquetes (PFE) en los dispositivos Juniper Networks Junos OS Evolved PTX10003 Series permite que un atacante ubicado adyacentemente que haya establecido ciertas condiciones previas y conocimiento del entorno env\u00ede ciertos datos genuinos espec\u00edficos. paquetes para comenzar un ataque de condici\u00f3n de ejecuci\u00f3n de tiempo de verificaci\u00f3n y tiempo de uso (TOCTOU) que provocar\u00e1 que comience una p\u00e9rdida de memoria. Una vez que comienza esta condici\u00f3n, y siempre que el atacante pueda mantener el tr\u00e1fico infractor, se produce un evento de denegaci\u00f3n de servicio distribuido (DDoS). Como evento DDoS, los paquetes infractores enviados por el atacante continuar\u00e1n fluyendo de un dispositivo a otro siempre que sean recibidos y procesados por cualquier dispositivo, lo que en \u00faltima instancia provocar\u00e1 una interrupci\u00f3n en cascada en cualquier dispositivo vulnerable. Los dispositivos que no sean vulnerables a la p\u00e9rdida de memoria procesar\u00e1n y reenviar\u00e1n los paquetes infractores a los dispositivos vecinos. Debido a que los mecanismos y controles de seguridad internos anti-inundaciones alcanzan su l\u00edmite m\u00e1ximo de respuesta en el peor de los casos, todos los dispositivos Junos OS Evolved afectados se reiniciar\u00e1n en tan solo 1,5 d\u00edas. No se pueden evitar los reinicios para restaurar los servicios una vez que comienza la p\u00e9rdida de memoria. El dispositivo se recuperar\u00e1 autom\u00e1ticamente despu\u00e9s de fallar y reiniciarse. No se requiere la intervenci\u00f3n del operador para reiniciar el dispositivo. Este problema afecta a: Juniper Networks Junos OS Evolucionado en PTX10003: todas las versiones anteriores a 20.4R3-S4-EVO; Versiones 21.3 anteriores a 21.3R3-S1-EVO; Versiones 21.4 anteriores a 21.4R2-S2-EVO, 21.4R3-EVO; Versiones 22.1 anteriores a 22.1R1-S2-EVO, 22.1R2-EVO; Versiones 22.2 anteriores a 22.2R2-EVO. Para verificar la memoria, los clientes pueden VTY al PFE primero y luego ejecutar la siguiente declaraci\u00f3n show: show jexpr jtm ingress-main-memory chip 255 | no-more Alternativamente, se puede ejecutar desde RE CLI: solicitar pfe ejecutar el comando fpc0 objetivo \\\"show jexpr jtm ingress-main-memory chip 255 | no-more\\\" Iteraci\u00f3n 1: Ejemplo de salida: Tipo de memoria: NH, tipo de asignaci\u00f3n: JTM 136776 bytes usados (m\u00e1ximo 138216 bytes usados) 911568 bytes disponibles (909312 bytes de p\u00e1ginas libres) Iteraci\u00f3n 2: Salida de ejemplo: Tipo de memoria: NH, tipo de asignaci\u00f3n: JTM 137288 bytes usados (m\u00e1ximo 138216 bytes usados) 911056 bytes disponibles (909312 bytes libres p\u00e1ginas) Lo mismo se puede ver en la CLI a continuaci\u00f3n, asumiendo que la escala no cambia: mostrar informaci\u00f3n de memoria npu Ejemplo de salida: FPC0:NPU16 mem-util-jnh-nh-size 2097152 FPC0:NPU16 mem-util-jnh-nh- asignado 135272 FPC0:NPU16 mem-util-jnh-nh-utilizaci\u00f3n 6\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"sirt@juniper.net\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":1.6,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-367\"},{\"lang\":\"en\",\"value\":\"CWE-770\"}]},{\"source\":\"sirt@juniper.net\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-367\"},{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"20.4\",\"matchCriteriaId\":\"0F41A7DF-2B27-4E2E-ABFC-E0510A028199\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"247FB9DF-7EC0-4298-B27C-3235D141C1D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r1:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9C8866D-162F-4C9B-8167-2FBA25410368\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r1-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F85E5BC7-8607-4330-AA72-2273D32F8604\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r1-s2:*:*:*:*:*:*\",\"matchCriteriaId\":\"878C81C9-A418-4A21-8FDB-2116A992679C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7451A671-A3CC-4904-8D45-947B1D3783C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r2-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0108AD20-EAE6-41D1-AE48-254C46B5388A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r2-s2:*:*:*:*:*:*\",\"matchCriteriaId\":\"44FBCA6F-EB05-4EE4-85FD-944BDAF7D81B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r2-s3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E554FD12-FE69-44D1-B2C9-4382F8CA4456\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0C1D53E-70BE-4246-89ED-1074C8C70747\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r3-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B39DDCF8-BB68-49F4-8AAF-AE25C9C13AC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r3-s2:*:*:*:*:*:*\",\"matchCriteriaId\":\"B38A90A9-B739-49BE-8845-9ABF846CCC5D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:20.4:r3-s3:*:*:*:*:*:*\",\"matchCriteriaId\":\"AAE56A7C-BA26-405F-A640-C43AF78B0A3B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EC38173-44AB-43D5-8C27-CB43AD5E0B2E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.3:r1:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A4DD04A-DE52-46BE-8C34-8DB47F7500F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.3:r1-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FEE0E145-8E1C-446E-90ED-237E3B9CAF47\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.3:r2:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F26369D-21B2-4C6A-98C1-492692A61283\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.3:r2-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"24003819-1A6B-4BDF-B3DF-34751C137788\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.3:r2-s2:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF8D332E-9133-45B9-BB07-B33C790F737A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.3:r3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3E2A4377-D044-4E43-B6CC-B753D7F6ABD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.4:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E907193-075E-45BC-9257-9607DB790D71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.4:r1:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B73A41D-3FF5-4E53-83FF-74DF58E0D6C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.4:r1-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CEDF46A8-FC3A-4779-B695-2CA11D045AEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.4:r1-s2:*:*:*:*:*:*\",\"matchCriteriaId\":\"39809219-9F87-4583-9DAD-9415DD320B36\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.4:r2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB299492-A919-4EBA-A62A-B3CF02FC0A95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:21.4:r2-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"74ED0939-D5F8-4334-9838-40F29DE3597F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:22.1:r1:*:*:*:*:*:*\",\"matchCriteriaId\":\"750FE748-82E7-4419-A061-2DEA26E35309\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:22.1:r1-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"236E23E5-8B04-4081-9D97-7300DF284000\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:22.2:r1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D77A072D-350A-42F2-8324-7D3AC1711BF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos_os_evolved:22.2:r1-s1:*:*:*:*:*:*\",\"matchCriteriaId\":\"83AE395C-A651-4568-88E3-3600544BF799\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:juniper:ptx10003:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5BD05415-9F94-4EB8-805A-C9C0FFA9D0DF\"}]}]}],\"references\":[{\"url\":\"https://kb.juniper.net/JSA70193\",\"source\":\"sirt@juniper.net\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.