CVE-2023-22408

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on SRX 5000 Series versions 20.4 through 20.4R3-S4 Juniper Networks Junos OS on SRX 5000 Series versions 21.1 through 21.1R3-S3 Juniper Networks Junos OS on SRX 5000 Series versions 21.2 through 21.2R3-S2 Juniper Networks Junos OS on SRX 5000 Series versions 21.3 through 21.3R3-S2 Juniper Networks Junos OS on SRX 5000 Series versions 21.4 through 21.4R3-S1 Juniper Networks Junos OS on SRX 5000 Series versions 22.1 through 22.1R2-S1 Juniper Networks Junos OS on SRX 5000 Series versions 22.2 through 22.2R2 Juniper Networks Junos OS on SRX 5000 Series versions 22.3 through 22.3R0

Description The issue is caused by an improper validation of array index in the SIP ALG of Juniper Networks Junos OS on SRX 5000 Series, allowing a network-based, unauthenticated attacker to cause a Denial of Service (DoS). When an attacker sends SIP packets with a malformed SDP field, the SIP ALG cannot process it, leading to an FPC crash and restart. Continued receipt of these specific packets will lead to a sustained Denial of Service. This issue can only occur when both call distribution and SIP ALG are enabled.

Recommendations For versions 20.4 through 20.4R3-S4, update to version 20.4R3-S5 or later. For versions 21.1 through 21.1R3-S3, update to version 21.1R3-S4 or later. For versions 21.2 through 21.2R3-S2, update to version 21.2R3-S3 or later. For versions 21.3 through 21.3R3-S2, update to version 21.3R3-S3 or later. For versions 21.4 through 21.4R3-S1, update to version 21.4R3-S2 or later. For versions 22.1 through 22.1R2-S1, update to version 22.1R2-S2 or later. For versions 22.2 through 22.2R2, update to version 22.2R3 or later. For versions 22.3 through 22.3R0, update to version 22.3R1-S1 or later. As a temporary workaround, consider disabling the SIP ALG until a patch is available. To confirm whether SIP ALG is enabled, use the command: user@host> show security alg status | match sip SIP : Enabled.