CVE-2020-1617

Name of the Vulnerable Software and Affected Versions: Juniper Networks Junos OS versions prior to 17.4R2-S9, 17.4R3 on PTX1000 and PTX10000 Series, QFX10000 Series Juniper Networks Junos OS 18.1 versions prior to 18.1R3-S9 on PTX1000 and PTX10000 Series, QFX10000 Series Juniper Networks Junos OS 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D30 on PTX1000 and PTX10000 Series, QFX10000 Series Juniper Networks Junos OS 18.2 versions prior to 18.2R3 on PTX1000 and PTX10000 Series, QFX10000 Series Juniper Networks Junos OS 18.3 versions prior to 18.3R3 on PTX1000 and PTX10000 Series, QFX10000 Series

Description: This issue is related to an improper initialization of memory in the packet forwarding architecture in Juniper Networks Junos OS non-AFI/AFT platforms. The vulnerability may lead to a Denial of Service (DoS) condition when a genuine packet is received and inspected by non-AFT/AFI sFlow and when the device is also configured with firewall policers. The first genuine packet received and inspected by sampled flow (sFlow) through a specific firewall policer will cause the device to reboot. After the reboot has completed, if the device receives and sFlow inspects another genuine packet seen through a specific firewall policer, the device will generate a core file and reboot. Continued inspection of these genuine packets will create an extended Denial of Service (DoS) condition.

Recommendations: For Juniper Networks Junos OS versions prior to 17.4R2-S9, update to version 17.4R2-S9 or later. For Juniper Networks Junos OS 18.1 versions prior to 18.1R3-S9, update to version 18.1R3-S9 or later. For Juniper Networks Junos OS 18.2X75 versions prior to 18.2X75-D12, update to version 18.2X75-D12 or later. For Juniper Networks Junos OS 18.2 versions prior to 18.2R3, update to version 18.2R3 or later. For Juniper Networks Junos OS 18.3 versions prior to 18.3R3, update to version 18.3R3 or later. As a temporary workaround, consider disabling the sFlow inspection on firewall policers until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the sFlow parameter in the affected API endpoint until the issue is resolved.