Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-04 Security Bulletin: Junos OS: QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016: In EVPN-VXLAN scenarios receipt of specific genuine packets by an adjacent attacker will cause a kernel memory leak in FPC. (CVE-2021-0272)

0

0

Article ID: JSA11163 SECURITY_ADVISORIES Last Updated: 14 Apr 2021Version: 1.0
Product Affected:
This issue affects Junos OS 16.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1. Affected platforms: QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016.
Problem:

A kernel memory leak in QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016 devices Flexible PIC Concentrators (FPCs) on Juniper Networks Junos OS allows an attacker to send genuine packets destined to the device to cause a Denial of Service (DoS) to the device.

On QFX10002-32Q, QFX10002-60C, QFX10002-72Q devices the device will crash and restart.

On QFX10008, QFX10016 devices, depending on the number of FPCs involved in an attack, one more more FPCs may crash and traffic through the device may be degraded in other ways, until the attack traffic stops.

A reboot is required to restore service and clear the kernel memory.

Continued receipt and processing of these genuine packets will create a sustained Denial of Service (DoS) condition.

On QFX10008, QFX10016 devices, an indicator of compromise may be the existence of DCPFE core files.

You can also monitor PFE memory utilization for incremental growth:

user@qfx-RE:0% cprod -A fpc0 -c "show heap 0" | grep -i ke
0 3788a1b0 3221225048 2417120656 804104392 24 Kernel
user@qfx-RE:0% cprod -A fpc0 -c "show heap 0" | grep -i ke
0 3788a1b0 3221225048 2332332200 888892848 27 Kernel

This issue affects:

Juniper Networks Junos OS on QFX10002-32Q, QFX10002-60C, QFX10002-72Q, QFX10008, QFX10016:

  • 16.1 versions 16.1R1 and above prior to 17.3 versions prior to 17.3R3-S9;
  • 17.4 versions prior to 17.4R3-S2;
  • 18.1 versions prior to 18.1R3-S11;
  • 18.2 versions prior to 18.2R3-S5;
  • 18.3 versions prior to 18.3R3-S3;
  • 18.4 versions prior to 18.4R2-S5, 18.4R3-S4;
  • 19.1 versions prior to 19.1R3-S2;
  • 19.2 versions prior to 19.2R3;
  • 19.3 versions prior to 19.3R3;
  • 19.4 versions prior to 19.4R3;
  • 20.1 versions prior to 20.1R2.
  • This issue does not affect releases prior to Junos OS 16.1R1.

This issue does not affect EX Series devices.

This issue does not affect Junos OS Evolved.

This issue occurs in composite next hop EVPN-VXLAN scenarios, chained-composite-next-hop (CHN) being configured is not a requirement but can still affect EVPN pure type 5 with VXLAN encapsulation deployments.

See https://kb.juniper.net/KB32854 for further configuration details.

# configure access links:
[interfaces <> unit 0 family ethernet-switching interface-mode trunk]
[interfaces <> unit 0 family ethernet-switching vlan-members <>]
...
# configure the core link
[interfaces <> unit 0 family inet address <>]

# configure loopback address
[interfaces lo0 unit 0 family inet address <>]

# configure IRB
[interfaces irb unit 1 family inet address <>]

# evpn
[protocols evpn encapsulation vxlan]
[protocols evpn extended-vni-list <>]
[routing-options router-id <>]
[routing-options autonomous-system 100]

[protocols bgp group pe type internal]
[protocols bgp group pe local-address <>]
[protocols bgp group pe family evpn signaling]
[protocols bgp group pe neighbor <>]

[protocols ospf area 0.0.0.0 interface lo0 passive]
[protocols ospf area 0.0.0.0 interface <>]

[switch-options route-distinguisher <>]
[switch-options vrf-target target:1:1]
[switch-options vtep-source-interface lo0.0]

[vlans <> vlan-id <>]
[vlans <> vxlan vni <>]
[vlans <> l3-interface irb.1]

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during internal product security testing or research.

This issue has been assigned CVE-2021-0272.

Solution:

The following software releases have been updated to resolve this specific issue: 17.3R3-S9, 17.4R3-S2, 18.1R3-S11, 18.2R3-S5, 18.3R3-S3, 18.4R2-S5, 18.4R3-S4, 19.1R3-S2, 19.2R3, 19.3R3, 19.4R3, 20.1R2, 20.2R1, and all subsequent releases.

This issue is being tracked as 1486614.

Workaround:
There are no known workarounds for this issue.
Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
Modification History:
2021-04-14: Initial Publication.
CVSS Score:
6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search