PT-2023-6082 · Juniper Networks · Junos

Published

2023-10-12

·

Updated

2023-10-17

·

CVE-2023-36841

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS versions prior to 20.4R3-S7 Juniper Networks Junos OS version 21.1R1 and later versions Juniper Networks Junos OS versions prior to 21.2R3-S6 Juniper Networks Junos OS versions prior to 21.3R3-S5 Juniper Networks Junos OS versions prior to 21.4R3-S3 Juniper Networks Junos OS versions prior to 22.1R3-S4 Juniper Networks Junos OS versions prior to 22.2R3 Juniper Networks Junos OS versions prior to 22.3R2-S2 Juniper Networks Junos OS versions prior to 22.4R2
Description The issue is related to an Improper Check for Unusual or Exceptional Conditions vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series, allowing an unauthenticated network-based attacker to cause an infinite loop, resulting in a Denial of Service (DoS). An attacker who sends malformed TCP traffic via an interface configured with PPPoE causes an infinite loop on the respective PFE, consuming all resources and requiring a manual restart to recover. This issue affects interfaces with PPPoE configured and tcp-mss enabled.
Recommendations For versions prior to 20.4R3-S7, update to version 20.4R3-S7 or later. For version 21.1R1 and later versions, update to version 21.2R3-S6 or later. For versions prior to 21.2R3-S6, update to version 21.2R3-S6 or later. For versions prior to 21.3R3-S5, update to version 21.3R3-S5 or later. For versions prior to 21.4R3-S3, update to version 21.4R3-S3 or later. For versions prior to 22.1R3-S4, update to version 22.1R3-S4 or later. For versions prior to 22.2R3, update to version 22.2R3 or later. For versions prior to 22.3R2-S2, update to version 22.3R2-S2 or later. For versions prior to 22.4R2, update to version 22.4R2 or later. As a temporary workaround, consider disabling the tcp-mss feature on interfaces configured with PPPoE until a patch is available. Restrict access to the vulnerable Packet Forwarding Engine (PFE) to minimize the risk of exploitation. Avoid using the PPPoE interface until the issue is resolved.

Fix

DoS

Resource Exhaustion

Improper Resource Release

Weakness Enumeration

CWE-400CWE-404

Related Identifiers

BDU:2023-06785
CVE-2023-36841

Affected Products

Junos