Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-04 Security Bulletin: Junos OS: Remote code execution vulnerability in overlayd service (CVE-2021-0254)

1

0

Article ID: JSA11147 SECURITY_ADVISORIES Last Updated: 21 May 2021Version: 5.0
Product Affected:
This issue affects Junos OS 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3.
Problem:

A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS.

The overlayd daemon handles Overlay OAM packets, such as ping and traceroute, sent to the overlay. The service runs as root by default and listens for UDP connections on port 4789. This issue results from improper buffer size validation, which can lead to a buffer overflow. Unauthenticated attackers can send specially crafted packets to trigger this vulnerability, resulting in possible remote code execution.

overlayd runs by default on MX Series, QFX Series, and certain ACX Series (e.g. ACX5445, but not the ACX5048) platforms.
Platforms such as the SRX Series and PTX Series do not run overlayd and are therefore not vulnerable to this issue.
Additionally, while some EX Series platforms do run overlayd, no model of EX Series switch has been shown to be exploitable to this vulnerability.

To summarize, if overlayd is not running on a particular platform, the system is not vulnerable to this issue.  Users can confirm the presence of the overlayd process by issuing the following command:

​user@junos> show system processes extensive | match overlay
2030 root     4   0 28984K 5004K kqread 0:00 0.00% overlayd


This issue affects Juniper Networks Junos OS:

  • 15.1 versions prior to 15.1R7-S9;
  • 17.3 versions prior to 17.3R3-S11;
  • 17.4 versions prior to 17.4R2-S13, 17.4R3-S4;
  • 18.1 versions prior to 18.1R3-S12;
  • 18.2 versions prior to 18.2R2-S8, 18.2R3-S7;
  • 18.3 versions prior to 18.3R3-S4;
  • 18.4 versions prior to 18.4R1-S8, 18.4R2-S7, 18.4R3-S7;
  • 19.1 versions prior to 19.1R2-S2, 19.1R3-S4;
  • 19.2 versions prior to 19.2R1-S6, 19.2R3-S2;
  • 19.3 versions prior to 19.3R3-S1;
  • 19.4 versions prior to 19.4R2-S4, 19.4R3-S1;
  • 20.1 versions prior to 20.1R2-S1, 20.1R3;
  • 20.2 versions prior to 20.2R2, 20.2R2-S1, 20.2R3;
  • 20.3 versions prior to 20.3R1-S1.

There is no minimum configuration required to be vulnerable to this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during external security research.

This issue has been assigned CVE-2021-0254.

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 15.1R7-S9, 17.3R3-S11, 17.4R2-S13, 17.4R3-S4, 18.1R3-S12, 18.2R2-S8, 18.2R3-S7, 18.3R3-S4, 18.4R1-S8, 18.4R2-S7, 18.4R3-S7, 19.1R2-S2, 19.1R3-S4, 19.2R1-S6, 19.2R3-S2, 19.3R3-S1, 19.4R2-S4, 19.4R3-S1, 20.1R2-S1, 20.1R3, 20.2R2, 20.2R2-S1, 20.2R3, 20.3R1-S1, 20.4R1, and all subsequent releases.

This fix has also been proactively committed into other releases that might not be vulnerable to this issue.

This issue is being tracked as 1548415.
 

Workaround:

Two methods exist to mitigate this issue:

  1. Limit the exploitable attack surface of critical infrastructure networking equipment by using access lists or firewall filters to limit access to the device via UDP only from trusted, administrative networks or hosts.
     
  2. Disable Overlay OAM packet via the configuration command: 'set system processes overlay-ping-traceroute disable'
Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
Modification History:
2021-04-14: Initial Publication.
2021-04-20: Explicitly state that the SRX Series is not vulnerable.
2021-05-21: Provide additional clarification on affected platforms, and how to determine if overlayd is running.


CVSS Score:
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
Juniper SIRT would like to acknowledge and thank Hoàng Thạch Nguyễn (d4rkn3ss) of STAR Labs for responsibly reporting this vulnerability.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search