CVE-2023-22410

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on MX Series versions prior to 20.2R3-S5 Juniper Networks Junos OS on MX Series version 20.3R1 and later versions

Description A Missing Release of Memory after Effective Lifetime issue in the Juniper Networks Junos OS on MX Series platforms with MPC10/MPC11 line cards allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS). Devices are only vulnerable when the Suspicious Control Flow Detection (scfd) feature is enabled. Upon enabling this feature, an attacker sending specific traffic causes memory to be allocated dynamically and it is not freed, even after deactivating the feature. Sustained processing of such traffic leads to an out of memory condition that prevents all services from continuing to function and requires a manual restart to recover. The FPC memory usage can be monitored using the CLI command "show chassis fpc" to detect the memory leak.

Recommendations For Juniper Networks Junos OS on MX Series versions prior to 20.2R3-S5, update to version 20.2R3-S5 or later to resolve the issue. For Juniper Networks Junos OS on MX Series version 20.3R1 and later versions, consider disabling the Suspicious Control Flow Detection (scfd) feature as a temporary workaround until a patch is available. As a mitigation measure, restrict access to the AftDdosScfdFlow memory to minimize the risk of exploitation. Monitor the FPC memory usage using the CLI command "show chassis fpc" to detect potential memory leaks.