Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-07 Security Bulletin: Junos OS: User-defined ARP Policer isn't applied on Aggregated Ethernet (AE) interface until firewall process is restarted

0

0

Article ID: JSA11191 SECURITY_ADVISORIES Last Updated: 14 Jul 2021Version: 1.0
Product Affected:
This issue affects Junos OS 15.1, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.4, 20.1, 20.2, 20.3, 20.4, 21.1. This issue affects SRX Series on Junos OS 18.4, 19.4, 20.1, 20.3, 20.4, 21.1.
Problem:

When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer.

To review the desired ARP Policers and actual state one can run the command "show interfaces <> extensive" and review the output. See further details below.

An example output is:

show interfaces extensive | match policer
Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed
Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface

For all platforms, except SRX Series:

This issue affects Juniper Networks Junos OS:

  • All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions;
  • 19.4 versions prior to 19.4R3-S3;
  • 20.1 versions prior to 20.1R3;
  • 20.2 versions prior to 20.2R3-S2;
  • 20.3 version 20.3R1 and later versions;
  • 20.4 versions prior to 20.4R3;
  • 21.1 versions prior to 21.1R2;

This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1.

On SRX Series this issue affects Juniper Networks Junos OS:

  • 18.4 versions prior to 18.4R2-S9, 18.4R3-S9;
  • 19.4 versions prior to 19.4R3-S4;
  • 20.1 versions prior to 20.1R3;
  • 20.2 versions prior to 20.2R3-S2;
  • 20.3 version 20.3R1 and later versions;
  • 20.4 versions prior to 20.4R3;
  • 21.1 versions prior to 21.1R2.

This issue does not affect 18.4 versions prior to 18.4R1 on SRX Series.

This issue does not affect Junos OS Evolved.

First in config CLI mode check that is there any user ARP policers configured on an ae interface:

show configuration | display set | match jtac-arp
set groups jtac-arp-policer interfaces ae5 unit <*> family inet policer arp jtac-arp <<< this shows user arp policer configured on all ae interfaces

Next validate which ARP policer is installed by using the operational cli command:

“show interfaces extensive | match policer”

show interfaces extensive | match policer
Policer: Input: __default_arp_policer__ <<< incorrect if user arp policer was applied on ae interface and default arp policer is displayed
Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user arp policer was applied on ae interface

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2021-0289.

Solution:

The following software releases have been updated to resolve this specific issue: For all platforms, except SRX Series, using Junos OS 15.1R7-S10, 18.4R2-S9, 18.4R3-S9, 19.4R3-S4, 20.1R3, 20.2R3-S2, 20.4R3, 21.1R2, 21.2R1, and all subsequent releases. On SRX series using Junos OS 18.4R2-S9, 18.4R3-S9, 19.4R3-S4. 20.1R3, 20.4R3, 21.1R2, 21.2R1, and all subsequent releases.

This issue is being tracked as 1528403.

Workaround:

There is no workaround for this issue.

If affected by this issue, to recover from its impact, restart the firewall process to update the ARP Policer on the AE interface unit(s).

From the CLI issue:

cli> restart firewall

Note: no side effects on firewall restart shall be seen when issuing this command.

Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
 
Modification History:
2021-07-14: Initial Publication.

CVSS Score:
6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search