Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-04 Security Bulletin: Junos OS: EX4300: Stateless firewall policer fails to discard traffic (CVE-2021-0243)

0

0

Article ID: JSA11136 SECURITY_ADVISORIES Last Updated: 14 Apr 2021Version: 1.0
Product Affected:
This issue affects Junos OS all versions prior to 17.3R3-S10, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2. Affected platforms: EX4300
Problem:
Improper Handling of Unexpected Data in the firewall policer of Juniper Networks Junos OS on EX4300 switches allows matching traffic to exceed set policer limits, possibly leading to a limited Denial of Service (DoS) condition. When the firewall policer discard action fails on a Layer 2 port, it will allow traffic to pass even though it exceeds set policer limits. Traffic will not get discarded, and will be forwarded even though a policer discard action is configured.

When the issue occurs, traffic is not discarded as desired, which can be observed by comparing the Input bytes with the Output bytes using the following command:


user@junos> monitor interface traffic
Interface Link Input bytes (bps) Output bytes (bps)
ge-0/0/0 Up 37425422 (82616) 37425354 (82616) <<<< egress
ge-0/0/1 Up 37425898 (82616) 37425354 (82616) <<<< ingress


The expected output, with input and output counters differing, is shown below:


Interface Link Input bytes (bps) Output bytes (bps)
ge-0/0/0 Up 342420570 (54600) 342422760 (54600) <<<< egress
ge-0/0/1 Up 517672120 (84000) 342420570 (54600) <<<< ingress


This issue only affects IPv4 policing. IPv6 traffic and firewall policing actions are not affected by this issue.

This issue affects Juniper Networks Junos OS on the EX4300:

  • All versions prior to 17.3R3-S10;
  • 17.4 versions prior to 17.4R3-S3;
  • 18.1 versions prior to 18.1R3-S11;
  • 18.2 versions prior to 18.2R3-S6;
  • 18.3 versions prior to 18.3R3-S4;
  • 18.4 versions prior to 18.4R3-S6;
  • 19.1 versions prior to 19.1R3-S3;
  • 19.2 versions prior to 19.2R3-S1;
  • 19.3 versions prior to 19.3R3-S1;
  • 19.4 versions prior to 19.4R3;
  • 20.1 versions prior to 20.1R2;
  • 20.2 versions prior to 20.2R2.

A sample affected firewall policer configuration is shown below:

set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input TEST-Policer
set firewall family ethernet-switching filter TEST-Policer term 1 from ip-source-address 10.1.1.0/24
set firewall family ethernet-switching filter TEST-Policer term 1 then accept
set firewall family ethernet-switching filter TEST-Policer term 1 then policer TEST-Policer-Bandwidth
set firewall policer TEST-Policer-Bandwidth if-exceeding bandwidth-limit 50k
set firewall policer TEST-Policer-Bandwidth if-exceeding burst-size-limit 1500
set firewall policer TEST-Policer-Bandwidth then discard

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2021-0243.

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 17.3R3-S10, 17.4R3-S3, 18.1R3-S11, 18.2R3-S6, 18.3R3-S4, 18.4R3-S6, 19.1R3-S3, 19.2R3-S1, 19.3R3-S1, 19.4R3, 20.1R2, 20.2R2, 20.3R1, and all subsequent releases.

This issue is being tracked as 1532670.

Workaround:
There are no viable workarounds for this issue.
Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
Modification History:
2021-04-14: Initial Publication.
CVSS Score:
4.7 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search