Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-07 Security Bulletin: Junos OS: PTX Series and QFX10K Series: Upon receipt of specific packets BFD sessions might flap due to DDoS policer implementation in Packet Forwarding Engine (CVE-2021-0280)

0

0

Article ID: JSA11184 SECURITY_ADVISORIES Last Updated: 14 Jul 2021Version: 1.0
Product Affected:
This issue affects Junos OS 17.4, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3, 20.4. Affected platforms: PTX Series, QFX10K Series.
Problem:

Due to an Improper Initialization vulnerability in Juniper Networks Junos OS on PTX platforms and QFX10K Series with Paradise (PE) chipset-based line cards, ddos-protection configuration changes made from the CLI will not take effect as expected beyond the default DDoS (Distributed Denial of Service) settings in the Packet Forwarding Engine (PFE). This may cause BFD sessions to flap when a high rate of specific packets are received. Flapping of BFD sessions in turn may impact routing protocols and network stability, leading to a Denial of Service (DoS) condition. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.

This issue affects only the following platforms with Paradise (PE) chipset-based line cards:

PTX1000, PTX3000 (NextGen), PTX5000, PTX10008, PTX10016 Series and QFX10002 Series.

This issue affects:

Juniper Networks Junos OS

  • 17.4 versions prior to 17.4R3-S5 on PTX Series, QFX10K Series;
  • 18.2 versions prior to 18.2R3-S8 on PTX Series, QFX10K Series;
  • 18.3 versions prior to 18.3R3-S5 on PTX Series, QFX10K Series;
  • 18.4 versions prior to 18.4R2-S8 on PTX Series, QFX10K Series;
  • 19.1 versions prior to 19.1R3-S5 on PTX Series, QFX10K Series;
  • 19.2 versions prior to 19.2R3-S2 on PTX Series, QFX10K Series;
  • 19.3 versions prior to 19.3R3-S2 on PTX Series, QFX10K Series;
  • 19.4 versions prior to 19.4R3-S2 on PTX Series, QFX10K Series;
  • 20.1 versions prior to 20.1R3 on PTX Series, QFX10K Series;
  • 20.2 versions prior to 20.2R2-S3, 20.2R3 on PTX Series, QFX10K Series;
  • 20.3 versions prior to 20.3R2 on PTX Series, QFX10K Series;
  • 20.4 versions prior to 20.4R2 on PTX Series, QFX10K Series.


The examples of the config stanza affected by this issue:

[system ddos-protection global]
[system ddos-protection protocols]


Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2021-0280.
 

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 17.4R3-S5, 18.2R3-S8, 18.3R3-S5, 18.4R2-S8, 19.1R3-S5, 19.2R3-S2, 19.3R3-S2, 19.4R3-S2, 20.1R3, 20.2R2-S3, 20.2R3, 20.3R2, 20.4R2, 21.1R1, and all subsequent releases.

This issue is being tracked as 1564807.
 

Workaround:

The default ukern policer rate can be reduced by the CLI command:

set system ddos-protection protocols <protocol-group> <aggregate | packet-type> bandwidth <packets-per-second> burst <size>
 
Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
 
Modification History:
2021-07-14: Initial Publication.

CVSS Score:
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search