supportportal.juniper.net
Open in
urlscan Pro
85.222.140.6
Public Scan
Submitted URL: https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-MX-Series-An-FPC-crash-is-observed-when-CFM-is-enab...
Effective URL: https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-MX-Series-An-FPC-crash-is-observed-when-CFM-is-enab...
Submission: On December 06 via api from IN — Scanned from DE
Effective URL: https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos-OS-MX-Series-An-FPC-crash-is-observed-when-CFM-is-enab...
Submission: On December 06 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
<form novalidate="">
<slot>
<slot>
<div c-kcs_headerlwc_kcs_headerlwc="" class="titleSection">
<p c-kcs_headerlwc_kcs_headerlwc="" class="slds-p-bottom_small">2023-10 Security Bulletin: Junos OS: MX Series: An FPC crash is observed when CFM is enabled in a VPLS scenario and a specific LDP related command is run (CVE-2023-44193)</p>
<div c-kcs_headerlwc_kcs_headerlwc="" class="slds-grid slds-wrap slds-m-top_xxx-small">
<div c-kcs_headerlwc_kcs_headerlwc="" class="headerSection">
<div c-kcs_headerlwc_kcs_headerlwc="" class="slds-m-top_small"><label c-kcs_headerlwc_kcs_headerlwc="" class="headerLabel slds-m-right_small">Article ID</label><span c-kcs_headerlwc_kcs_headerlwc=""
class="slds-m-right_large">JSA73157</span></div>
<div c-kcs_headerlwc_kcs_headerlwc="" class="slds-m-top_small"><label c-kcs_headerlwc_kcs_headerlwc="" class="headerLabel slds-m-right_small">Created</label><span c-kcs_headerlwc_kcs_headerlwc=""
class="slds-m-right_large">2023-10-11</span></div>
<div c-kcs_headerlwc_kcs_headerlwc="" class="slds-m-top_small"><label c-kcs_headerlwc_kcs_headerlwc="" class="headerLabel slds-m-right_small">Last Updated</label><span c-kcs_headerlwc_kcs_headerlwc=""
class="slds-m-right_large">2023-10-11</span></div>
</div>
<div c-kcs_headerlwc_kcs_headerlwc="" class="slds-text-align_right slds-no-print btnContainer"><button c-kcs_headerlwc_kcs_headerlwc="" class="slds-button headerbtn slds-m-right_x-small slds-m-top_small"><lightning-icon
c-kcs_headerlwc_kcs_headerlwc="" class="slds-m-right_x-small slds-icon-utility-print slds-icon_container" icon-name="utility:print"><span style="--sds-c-icon-color-background: var(--slds-c-icon-color-background, transparent)"
part="boundary"><lightning-primitive-icon size="x-small" variant=""><svg class="slds-icon slds-icon-text-default slds-icon_x-small" focusable="false" data-key="print" aria-hidden="true" viewBox="0 0 52 52" part="icon">
<g>
<g>
<path
d="M46.5 17.4h-41c-2.2 0-4 1.8-4 4v14c0 2.2 1.8 4 4 4h5.9v5.8c0 2.2 1.8 4 4 4h21.3c2.2 0 4-1.8 4-4v-5.8h5.9c2.2 0 4-1.8 4-4v-14c-.1-2.2-1.9-4-4.1-4zM8.3 27.7c-1.7 0-3-1.3-3-3s1.3-3 3-3 3 1.3 3 3-1.3 3-3 3zm27.6 15.4c0 .8-.7 1.5-1.5 1.5h-17c-.8 0-1.5-.7-1.5-1.5v-9.8c0-.8.7-1.5 1.5-1.5h17c.8 0 1.5.7 1.5 1.5v9.8zM40.5 11.1c0 .8-.7 1.5-1.5 1.5H12.8c-.8 0-1.5-.7-1.5-1.5V4.3c0-.8.7-1.5 1.5-1.5H39c.8 0 1.5.7 1.5 1.5v6.8z">
</path>
</g>
</g>
</svg></lightning-primitive-icon></span></lightning-icon>Print</button><button c-kcs_headerlwc_kcs_headerlwc="" class="slds-button headerbtn slds-m-top_small"><lightning-icon c-kcs_headerlwc_kcs_headerlwc=""
class="slds-m-right_x-small slds-icon-utility-user slds-icon_container" icon-name="utility:user"><span style="--sds-c-icon-color-background: var(--slds-c-icon-color-background, transparent)" part="boundary"><lightning-primitive-icon
size="x-small" variant=""><svg class="slds-icon slds-icon-text-default slds-icon_x-small" focusable="false" data-key="user" aria-hidden="true" viewBox="0 0 52 52" part="icon">
<g>
<path
d="M50 43v2.2c0 2.6-2.2 4.8-4.8 4.8H6.8C4.2 50 2 47.8 2 45.2V43c0-5.8 6.8-9.4 13.2-12.2l.6-.3c.5-.2 1-.2 1.5.1 2.6 1.7 5.5 2.6 8.6 2.6s6.1-1 8.6-2.6c.5-.3 1-.3 1.5-.1l.6.3C43.2 33.6 50 37.1 50 43zM26 2c6.6 0 11.9 5.9 11.9 13.2S32.6 28.4 26 28.4s-11.9-5.9-11.9-13.2S19.4 2 26 2z">
</path>
</g>
</svg></lightning-primitive-icon></span></lightning-icon>Report a Security Vulnerability</button></div>
</div>
</div>
</slot>
</slot>
</form><form novalidate="">
<slot>
<slot>
<div c-kcs_articleinfolwc_kcs_articleinfolwc="" class="detailSection">
<div c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-around_large section2">
<div c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-grid slds-wrap slds-m-top_medium">
<div c-kcs_articleinfolwc_kcs_articleinfolwc="" class="jsaDiv slds-p-right_medium"><label c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_small">Product Affected</label><lightning-formatted-rich-text
c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_large slds-rich-text-editor__output"><span part="formatted-rich-text">This issue affects all versions of Junos OS. Affected platforms: MX
Series.</span></lightning-formatted-rich-text></div>
<div c-kcs_articleinfolwc_kcs_articleinfolwc="" class="jsaDiv slds-m-bottom_small">
<div c-kcs_articleinfolwc_kcs_articleinfolwc="" class="severityJsa jsaBorder slds-m-right_medium"><label class="slds-p-bottom_x-small slds-p-top_x-small spanBlock slds-p-left_x-small slds-p-right_x-small"
c-kcs_articleinfolwc_kcs_articleinfolwc="">Severity</label><span c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_x-small slds-p-top_xx-small slds-p-left_x-small slds-p-right_x-small"><lightning-formatted-rich-text
c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-rich-text-editor__output"><span part="formatted-rich-text">Medium</span></lightning-formatted-rich-text></span></div>
<div c-kcs_articleinfolwc_kcs_articleinfolwc="" class="cvvscore jsaBorder"><label class="slds-p-bottom_x-small slds-p-top_x-small spanBlock slds-p-left_x-small slds-p-right_x-small" c-kcs_articleinfolwc_kcs_articleinfolwc="">Severity
Assessment (CVSS) Score</label><span c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_x-small slds-p-top_xx-small slds-p-left_x-small slds-p-right_x-small"><lightning-formatted-rich-text
c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-rich-text-editor__output"><span part="formatted-rich-text">5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)</span></lightning-formatted-rich-text></span></div>
</div>
</div><label c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_small">Problem</label><lightning-formatted-rich-text c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_large slds-rich-text-editor__output"><span
part="formatted-rich-text">
<p>An Improper Release of Memory Before Removing Last Reference vulnerability in Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows a local, low privileged attacker to cause an FPC crash, leading to Denial of Service
(DoS).</p>
<p><br>On all Junos MX Series with MPC1 - MPC9, LC480, LC2101, MX10003, and MX80, when Connectivity-Fault-Management (CFM) is enabled in a VPLS scenario, and a specific LDP related command is run, an FPC will crash and reboot. Continued
execution of this specific LDP command can lead to sustained Denial of Service condition.</p>
<p><br>This issue affects:</p>
<p>Juniper Networks Junos OS on MX Series</p>
<ul>
<li>All versions prior to 20.4R3-S7;</li>
<li>21.1 versions prior to 21.1R3-S5;</li>
<li>21.2 versions prior to 21.2R3-S4;</li>
<li>21.3 versions prior to 21.3R3-S4;</li>
<li>21.4 versions prior to 21.4R3-S3;</li>
<li>22.1 versions prior to 22.1R3-S1;</li>
<li>22.2 versions prior to 22.2R2-S1, 22.2R3;</li>
<li>22.3 versions prior to 22.3R1-S2, 22.3R2.</li>
</ul>
<p><br>For this issue to occur, following minimal configuration is required.</p>
<code>[ ldp interface <interface1> ]</code><br><code>[ interfaces <interface1> flexible-vlan-tagging ]</code><br><code>[ interfaces <interface1> encapsulation vlan-vpls ]</code><br><code>[ protocols oam ethernet
connectivity-fault-management maintenance-domain <md-name> interface <interface2> ]</code><br><code>[ routing-instances <md-name> instance-type vpls ]</code><br><code>[ routing-instances <md-name> interface
<interface1> ]</code>
<p><br>Juniper SIRT is not aware of any malicious exploitation of this vulnerability.</p>
<p><br>This issue was seen during production usage.</p>
<p><br>This issue has been assigned <a target="_blank" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44193">CVE-2023-44193</a>.</p>
</span></lightning-formatted-rich-text><label c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_small">Solution</label><lightning-formatted-rich-text c-kcs_articleinfolwc_kcs_articleinfolwc=""
class="slds-p-bottom_large slds-rich-text-editor__output"><span part="formatted-rich-text">
<p>The following software releases have been updated to resolve this specific issue: 20.4R3-S7, 21.1R3-S5, 21.2R3-S4, 21.3R3-S4, 21.4R3-S3, 22.1R3-S1, 22.2R2-S1, 22.2R3, 22.3R1-S2, 22.3R2, 22.4R1, and all subsequent releases.</p>
<p><br>This issue is being tracked as PR <a target="_blank" href="https://prsearch.juniper.net/problemreport/PR1668419">1668419</a> which is visible on the Customer Support website.</p>
<p><br><strong>Note</strong>: Juniper SIRT's <a target="_blank" href="https://kb.juniper.net/KB16765">policy</a> is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).</p>
</span></lightning-formatted-rich-text><label c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_small">Workaround</label><lightning-formatted-rich-text c-kcs_articleinfolwc_kcs_articleinfolwc=""
class="slds-p-bottom_large slds-rich-text-editor__output"><span part="formatted-rich-text">
<p>This issue can be avoided by disabling CFM MIP functionality.</p>
<code>[ protocols oam ethernet connectivity-fault-management maintenance-domain <md-name> mip-half-function none ]</code>
</span></lightning-formatted-rich-text><label c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_small">Modification History</label><lightning-formatted-rich-text c-kcs_articleinfolwc_kcs_articleinfolwc=""
class="slds-p-bottom_large slds-rich-text-editor__output"><span part="formatted-rich-text">
<pre>2023-10-11: Initial Publication</pre>
</span></lightning-formatted-rich-text><label c-kcs_articleinfolwc_kcs_articleinfolwc="" class="slds-p-bottom_small">Related Information</label><lightning-formatted-rich-text c-kcs_articleinfolwc_kcs_articleinfolwc=""
class="slds-p-bottom_large slds-rich-text-editor__output"><span part="formatted-rich-text">
<ul>
<li><a target="_blank" href="/s/article/Overview-of-the-Juniper-Networks-SIRT-Quarterly-Security-Bulletin-Publication-Process">KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process</a></li>
<li><a target="_blank" href="/s/article/In-which-releases-are-vulnerabilities-fixed">KB16765: In which releases are vulnerabilities fixed?</a></li>
<li><a target="_blank" href="/s/article/Common-Vulnerability-Scoring-System-CVSS-and-Juniper-s-Security-Advisories">KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories</a></li>
<li><a target="_blank" href="https://www.juniper.net/security/report-vulnerability/">Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team</a></li>
<li><a target="_blank" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44193">CVE-2023-44193 at cve.mitre.org</a></li>
<li><a target="_blank" href="https://supportportal.juniper.net/JSA73152">https://supportportal.juniper.net/JSA73157</a></li>
</ul>
</span></lightning-formatted-rich-text>
</div><lightning-accordion c-kcs_articleinfolwc_kcs_articleinfolwc="" role="list" class="slds-accordion" lwc-4fpb0t2acsh-host="">
<div lwc-4fpb0t2acsh="" part="accordion">
<slot lwc-4fpb0t2acsh=""><lightning-accordion-section c-kcs_articleinfolwc_kcs_articleinfolwc="" role="listitem" class="slds-accordion__list-item" lwc-3tfn8c53l4v-host="">
<div lwc-3tfn8c53l4v="" class="slds-accordion__list-item">
<section lwc-3tfn8c53l4v="" class="slds-accordion__section" part="accordion-section">
<div lwc-3tfn8c53l4v="" class="slds-accordion__summary">
<h2 lwc-3tfn8c53l4v="" class="slds-accordion__summary-heading"><button lwc-3tfn8c53l4v="" class="section-control slds-button slds-button_reset slds-accordion__summary-action" type="button" aria-expanded="false"
aria-controls="lgt-accordion-section-21" part="button"><lightning-primitive-icon lwc-3tfn8c53l4v="" size="x-small"><svg class="slds-button__icon slds-button__icon_left slds-icon slds-icon-text-default slds-icon_x-small"
focusable="false" data-key="chevronright" aria-hidden="true" viewBox="0 0 52 52" part="icon">
<g>
<path d="M17.9 4.4l20.7 20.5c.6.6.6 1.6 0 2.2L17.9 47.6c-.6.6-1.6.6-2.2 0l-2.2-2.2c-.6-.6-.6-1.6 0-2.2l16.3-16.1c.6-.6.6-1.6 0-2.2L13.6 8.8c-.6-.6-.6-1.6 0-2.2l2.2-2.2c.6-.5 1.5-.5 2.1 0z"></path>
</g>
</svg></lightning-primitive-icon><span lwc-3tfn8c53l4v="" class="slds-accordion__summary-content" title="AFFECTED PRODUCT SERIES / FEATURES">AFFECTED PRODUCT SERIES / FEATURES</span></button></h2>
<slot lwc-3tfn8c53l4v="" name="actions"></slot>
</div>
<div lwc-3tfn8c53l4v="" class="slds-accordion__content" id="lgt-accordion-section-21" hidden="" aria-hidden="true">
<slot lwc-3tfn8c53l4v=""><c-kcs_affectedproduct-l-w-c c-kcs_articleinfolwc_kcs_articleinfolwc="" c-kcs_affectedproductlwc_kcs_affectedproductlwc-host="">
<div c-kcs_affectedproductlwc_kcs_affectedproductlwc="" class="afftedProd slds-m-top_small">
<a c-kcs_affectedproductlwc_kcs_affectedproductlwc="" href="https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=relevancy&f:level3=[MX-Series]">MX-Series</a></div>
</c-kcs_affectedproduct-l-w-c></slot>
</div>
</section>
</div>
</lightning-accordion-section></slot>
</div>
</lightning-accordion>
</div>
</slot>
</slot>
</form>POST
<form id="fileUploadForm" enctype="multipart/form-data" method="post" target="fileUploadIframe"><input type="file" id="fileSelector" name="file" style="display: none;"><input name="filename" type="hidden"></form>Text Content
Loading
×Sorry to interrupt
This page has an error. You might just need to refresh it. [LWC component's
@wire target property or method threw an error during value provisioning.
Original error: [Cannot read properties of undefined (reading
'ContentDocumentId')]] Failing descriptor: {markup://c:kCS_fileCompLWC}
Refresh
Skip to Main Content
Juniper Support Portal
* Home
* Knowledge
* Quick Links
* More
Expand search
SearchLoading
Close search
Log in
Knowledge BaseBack
2023-10 Security Bulletin: Junos OS: MX Series: An FPC crash is observed when
CFM is enabled in a VPLS scenario and a specific LDP related command is run
(CVE-2023-44193)
Article IDJSA73157
Created2023-10-11
Last Updated2023-10-11
PrintReport a Security Vulnerability
Product AffectedThis issue affects all versions of Junos OS. Affected platforms:
MX Series.
SeverityMedium
Severity Assessment (CVSS) Score5.5
(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Problem
An Improper Release of Memory Before Removing Last Reference vulnerability in
Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows a local, low
privileged attacker to cause an FPC crash, leading to Denial of Service (DoS).
On all Junos MX Series with MPC1 - MPC9, LC480, LC2101, MX10003, and MX80, when
Connectivity-Fault-Management (CFM) is enabled in a VPLS scenario, and a
specific LDP related command is run, an FPC will crash and reboot. Continued
execution of this specific LDP command can lead to sustained Denial of Service
condition.
This issue affects:
Juniper Networks Junos OS on MX Series
* All versions prior to 20.4R3-S7;
* 21.1 versions prior to 21.1R3-S5;
* 21.2 versions prior to 21.2R3-S4;
* 21.3 versions prior to 21.3R3-S4;
* 21.4 versions prior to 21.4R3-S3;
* 22.1 versions prior to 22.1R3-S1;
* 22.2 versions prior to 22.2R2-S1, 22.2R3;
* 22.3 versions prior to 22.3R1-S2, 22.3R2.
For this issue to occur, following minimal configuration is required.
[ ldp interface <interface1> ]
[ interfaces <interface1> flexible-vlan-tagging ]
[ interfaces <interface1> encapsulation vlan-vpls ]
[ protocols oam ethernet connectivity-fault-management maintenance-domain
<md-name> interface <interface2> ]
[ routing-instances <md-name> instance-type vpls ]
[ routing-instances <md-name> interface <interface1> ]
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2023-44193.
Solution
The following software releases have been updated to resolve this specific
issue: 20.4R3-S7, 21.1R3-S5, 21.2R3-S4, 21.3R3-S4, 21.4R3-S3, 22.1R3-S1,
22.2R2-S1, 22.2R3, 22.3R1-S2, 22.3R2, 22.4R1, and all subsequent releases.
This issue is being tracked as PR 1668419 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround
This issue can be avoided by disabling CFM MIP functionality.
[ protocols oam ethernet connectivity-fault-management maintenance-domain
<md-name> mip-half-function none ]Modification History
2023-10-11: Initial Publication
Related Information
* KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
* KB16765: In which releases are vulnerabilities fixed?
* KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
* Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
* CVE-2023-44193 at cve.mitre.org
* https://supportportal.juniper.net/JSA73157
AFFECTED PRODUCT SERIES / FEATURES
MX-Series
PEOPLE ALSO VIEWED
2023-10 Security Bulletin: Junos OS: MX Series: Receipt of malformed TCP traffic
will cause a Denial of Service (CVE-2023-36841)
2023-10 Security Bulletin: Junos OS: QFX5000 Series, EX4600 Series: In a VxLAN
scenario an adjacent attacker within the VxLAN sending genuine packets may cause
a DMA memory leak to occur. (CVE-2023-44183)
2023-10 Security Bulletin: Junos OS: MX Series: In a PTP scenario a prolonged
routing protocol churn can trigger an FPC reboot (CVE-2023-44199)
2023-10 Security Bulletin: Junos OS: SRX Series and MX Series: SIP ALG doesn't
drop specifically malformed retransmitted SIP packets (CVE-2023-44198)
2023-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BGP scenario RPD
crashes upon receiving and processing a specific malformed ISO VPN BGP UPDATE
packet (CVE-2023-44185)
2023-10 Security Bulletin: Junos OS: SRX Series: The PFE will crash on receiving
malformed SSL traffic when ATP is enabled (CVE-2023-36843)
2023-10 Security Bulletin: Junos OS and Junos OS Evolved: A local attacker can
retrieve sensitive information and elevate privileges on the device to an
authorized user. (CVE-2023-44201)
2023-10 Security Bulletin: Junos OS and Junos OS Evolved: Receipt of a specific
genuine PIM packet causes RPD crash (CVE-2023-44175)
2023-10 Security Bulletin: Junos OS: PTX Series and QFX10000 Series: Received
flow-routes which aren't installed as the hardware doesn't support them, lead to
an FPC heap memory leak (CVE-2023-22392)
2023-10 Security Bulletin: Junos OS and Junos OS Evolved: Multiple
Vulnerabilities in CLI command
2023-10 Security Bulletin: Junos OS: QFX5000 Series: DMA memory leak is observed
when specific DHCP packets are transmitted over pseudo-VTEP (CVE-2023-44192)
2023-10 Security Bulletin: Junos OS: QFX5000 Series and EX4000 Series: Denial of
Service (DoS) on a large scale VLAN due to PFE hogging (CVE-2023-44191)
Results 1-12 of 12
Live chat:
© 1999 - 2023 Juniper Networks, Inc.
All rights reserved
* Contacts
* Feedback
* Site Map
* Privacy Policy
* Legal Notices
* DMCA Policy
Loading