Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-04 Security Bulletin: Junos OS and Junos OS Evolved: Trio Chipset: Denial of Service due to packet destined to device's interfaces. (CVE-2021-0273)

0

0

Article ID: JSA11164 SECURITY_ADVISORIES Last Updated: 14 Apr 2021Version: 2.0
Product Affected:
This issue affects Junos OS 15.1, 16.1, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4. Affected platforms: ACX5800, EX9200 Series, MX10000 Series, MX240, MX480, MX960. This issue affects Junos OS Evolved 19.4. Affected platforms: ACX5800, EX9200 Series, MX10000 Series, MX240, MX480, MX960.
Problem:

An always-incorrect control flow implementation in the implicit filter terms of Juniper Networks Junos OS and Junos OS Evolved on ACX5800, EX9200 Series, MX10000 Series, MX240, MX480, MX960 devices with affected Trio line cards allows an attacker to exploit an interdependency in the PFE UCODE microcode of the Trio chipset with various line cards to cause packets destined to the devices interfaces to cause a Denial of Service (DoS) condition by looping the packet with an unreachable exit condition ('Infinite Loop'). To break this loop once it begins one side of the affected LT interfaces will need to be disabled. Once disabled, the condition will clear and the disabled LT interface can be reenabled.

Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition.

This issue only affects LT-LT interfaces. Any other interfaces are not affected by this issue.

This issue affects the following cards:

MPCE Type 3 3D
MPC4E 3D 32XGE
MPC4E 3D 2CGE+8XGE
EX9200 32x10G SFP
EX9200-2C-8XS
FPC Type 5-3D
FPC Type 5-LSR
EX9200 4x40G QSFP

An Indicator of Compromise (IoC) can be seen by examining the traffic of the LT-LT interfaces for excessive traffic using the following command:

monitor interface traffic

Before loop impact:

Interface: lt-2/0/0, Enabled, Link is Up
Encapsulation: Logical-tunnel, Speed: 100000mbps
Traffic statistics: Current delta
Input bytes: 3759900268942 (1456 bps) [0] <---------- LT interface utilization is low
Output bytes: 3759900344309 (1456 bps) [0] <---------- LT interface utilization is low

After loop impact:

Interface: lt-2/0/0, Enabled, Link is Up
Encapsulation: Logical-tunnel, Speed: 100000mbps
Traffic statistics: Current delta
Input bytes: 3765160313129 (2158268368 bps) [5260044187] <---------- LT interface utilization is very high
Output bytes: 3765160399522 (2158266440 bps) [5260055213] <---------- LT interface utilization is very high

This issue affects:

Juniper Networks Junos OS on ACX5800, EX9200 Series, MX10000 Series, MX240, MX480, MX960.

  • Versions 15.1F6, 16.1R1, and later versions prior to 16.1R7-S8;
  • 17.1 versions prior to 17.1R2-S12;
  • 17.2 versions prior to 17.2R3-S4;
  • 17.3 versions prior to 17.3R3-S8;
  • 17.4 versions prior to 17.4R2-S10, 17.4R3-S2;
  • 18.1 versions prior to 18.1R3-S10;
  • 18.2 versions prior to 18.2R2-S7, 18.2R3-S3;
  • 18.3 versions prior to 18.3R1-S7, 18.3R3-S2;
  • 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3-S2;
  • 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3;
  • 19.2 versions prior to 19.2R1-S4, 19.2R2;
  • 19.3 versions prior to 19.3R2-S3, 19.3R3;
  • 19.4 versions prior to 19.4R1-S1, 19.4R2.

This issue does not affect the MX10001.

  • This issue does not affect Juniper Networks Junos OS versions prior to 15.1F6, 16.1R1.

Juniper Networks Junos OS Evolved on ACX5800, EX9200 Series, MX10000 Series, MX240, MX480, MX960

19.4 versions prior to 19.4R2-EVO.

This issue does not affect the MX10001.

An example of an affected configuration is one where a Trio chipset line card is in use with a logical-tunnel interface set up to communicate to a second logical tunnel (LT-to-LT) interface.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2021-0273.

Solution:

The following software releases have been updated to resolve this specific issue:

Junos OS: 16.1R7-S8, 17.1R2-S12, 17.2R3-S4, 17.3R3-S8, 17.4R2-S10, 17.4R3-S2, 18.1R3-S10, 18.2R2-S7, 18.2R3-S3, 18.3R1-S7, 18.3R3-S2, 18.4R1-S7, 18.4R2-S4, 18.4R3-S2, 19.1R1-S5, 19.1R2-S1, 19.1R3, 19.2R1-S4, 19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S1, 19.4R2, 20.1R1, and all subsequent releases.

Junos OS Evolved: 19.4R2-EVO, 20.1R1-EVO, and all subsequent releases.

This issue is being tracked as 1478759.

Workaround:
There are no available workarounds for this issue.
Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
Modification History:
2021-04-14: Initial Publication.
CVSS Score:
5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search