Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-04 Security Bulletin: Junos OS: PTX Series: Denial of Service in packet processing due to heavy route churn when J-Flow sampling is enabled (CVE-2021-0263)

0

0

Article ID: JSA11154 SECURITY_ADVISORIES Last Updated: 14 Apr 2021Version: 1.0
Product Affected:
This issue affects Junos OS 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3. Affected platforms: PTX Series.
Problem:

A Data Processing vulnerability in the Multi-Service process (multi-svcs) on the FPC of Juniper Networks Junos OS on the PTX Series routers may lead to the process becoming unresponsive, ultimately affecting traffic forwarding, allowing an attacker to cause a Denial of Service (DoS) condition . The Multi-Service Process running on the FPC is responsible for handling sampling-related operations when a J-Flow configuration is activated. This can occur during periods of heavy route churn, causing the Multi-Service Process to stop processing updates, without consuming any further updates from kernel. This back pressure towards the kernel affects further dynamic updates from other processes in the system, including RPD, causing a KRT-STUCK condition and traffic forwarding issues.

An administrator can monitor the following command to check if there is the KRT queue is stuck:

user@device > show krt state
...
Number of async queue entries: 65007 <--- this value keep on increasing.


The following logs/alarms will be observed when this condition exists:

user@junos> show chassis alarms
2 alarms currently active
Alarm time Class Description
2020-10-11 04:33:45 PDT Minor Potential slow peers are: MSP(FPC1-PIC0) MSP(FPC3-PIC0) MSP(FPC4-PIC0)

Logs:

Oct 11 04:33:44.672 2020 test /kernel: rts_peer_cp_recv_timeout : Bit set for msp8 as it is stuck
Oct 11 04:35:56.000 2020 test-lab fpc4 user.err gldfpc-multi-svcs.elf: Error in parsing composite nexthop
Oct 11 04:35:56.000 2020 test-lab fpc4 user.err gldfpc-multi-svcs.elf: composite nexthop parsing error
Oct 11 04:43:05 2020 test /kernel: rt_pfe_veto: Possible slowest client is msp38. States processed - 65865741. States to be processed - 0
Oct 11 04:55:55 2020 test /kernel: rt_pfe_veto: Memory usage of M_RTNEXTHOP type = (0) Max size possible for M_RTNEXTHOP type = (8311787520) Current delayed unref = (60000), Current unique delayed unref = (10896), Max delayed unref on this platform = (40000) Current delayed weight unref = (71426) Max delayed weight unref on this platform= (400000) curproc = rpd
Oct 11 04:56:00 2020 test /kernel: rt_pfe_veto: Too many delayed route/nexthop unrefs. Op 2 err 55, rtsm_id 5:-1, msg type 2


This issue only affects PTX Series devices. No other products or platforms are affected by this vulnerability.

This issue affects Juniper Networks Junos OS on PTX Series:

  • 18.2 versions prior to 18.2R3-S7;
  • 18.3 versions prior to 18.3R3-S4;
  • 18.4 versions prior to 18.4R2-S8, 18.4R3-S7;
  • 19.1 versions prior to 19.1R3-S4;
  • 19.2 versions prior to 19.2R3-S1;
  • 19.3 versions prior to 19.3R3-S1;
  • 19.4 versions prior to 19.4R2-S4, 19.4R3-S1;
  • 20.1 versions prior to 20.1R2;
  • 20.2 versions prior to 20.2R2;
  • 20.3 versions prior to 20.3R1-S2, 20.3R2.

This issue does not affect Juniper Networks Junos OS versions prior to 18.2R1.


An example of flow monitoring configuration is shown below:

flow-monitoring {
  version-ipfix {
    template NETFLOW_IPV4_TEMPLATE {
      flow-active-timeout 600;
      flow-inactive-timeout 10;
      ipv4-template;
    }
    template NETFLOW_IPV6_TEMPLATE {
      flow-active-timeout 600;
      flow-inactive-timeout 10;
      ipv6-template;
    }
  }
}

combined with:

forwarding-options :{
  sampling {
    ...
  }
}


Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2021-0263.
 

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 18.2R3-S7, 18.3R3-S4, 18.4R2-S8, 18.4R3-S7, 19.1R3-S4, 19.2R3-S1, 19.3R3-S1, 19.4R2-S4, 19.4R3-S1, 20.1R2, 20.2R2, 20.3R1-S2, 20.3R2, 20.4R1, and all subsequent releases.

This issue is being tracked as 1546143.
 

Workaround:

Deactivation of the sampling configuration under the chassis hierarchy will mitigate this issue:

deactivate chassis fpc <x> sampling-instance <x>
 
Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
 
Modification History:
2021-04-14: Initial Publication.

CVSS Score:
5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search