An improper interpretation conflict of certain data between certain software components within the Juniper Networks Junos OS devices does not allow certain traffic to pass through the device upon receipt from an ingress interface filtering certain specific types of traffic which is then being redirected to an egress interface on a different VLAN. This causes a Denial of Service (DoS) to those clients sending these particular types of traffic. Such traffic being sent by a client may appear genuine, but is non-standard in nature and should be considered as potentially malicious, and can be targeted to the device, or destined through it for the issue to occur. This issues affects IPv4 and IPv6 traffic. An indicator of compromise may be found by checking log files. You may find that traffic on the input interface has 100% of traffic flowing into the device, yet the egress interface shows 0 pps leaving the device. For example: [show interfaces "interface" statistics detail] Output between two interfaces would reveal something similar to: Ingress, first interface: -------------------- Interface Link Input packets (pps) Output packets (pps) et-0/0/0 Up 9999999999 (9999) 1 (0) -------------------- Egress, second interface: -------------------- Interface Link Input packets (pps) Output packets (pps) et-0/0/1 Up 0 (0) 9999999999 (0) -------------------- Dropped packets will not show up in DDoS monitoring/protection counters as issue is not caused by anti-DDoS protection mechanisms. This issue affects: Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S7 on NFX250, QFX5K Series, EX4600; 17.4 versions prior to 17.4R2-S11, 17.4R3-S3 on NFX250, QFX5K Series, EX4600; 18.1 versions prior to 18.1R3-S9 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4600; 18.2 versions prior to 18.2R3-S3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600; 18.3 versions prior to 18.3R3-S1 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.2 versions prior to 19.2R1-S5, 19.2R2 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.3 versions prior to 19.3R2-S3, 19.3R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.4 versions prior to 19.4R1-S2, 19.4R2 on NFX250, NFX350, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series. This issue does not affect Junos OS releases prior to 17.2R2.

When the "Intrusion Detection Service" (IDS) feature is configured on Juniper Networks MX series with a dynamic firewall filter using IPv6 source or destination prefix, it may incorrectly match the prefix as /32, causing the filter to block unexpected traffic. This issue affects only IPv6 prefixes when used as source and destination. This issue affects MX Series devices using MS-MPC, MS-MIC or MS-SPC3 service cards with IDS service configured. This issue affects: Juniper Networks Junos OS 17.3 versions prior to 17.3R3-S10 on MX Series; 17.4 versions prior to 17.4R3-S3 on MX Series; 18.1 versions prior to 18.1R3-S11 on MX Series; 18.2 versions prior to 18.2R3-S6 on MX Series; 18.3 versions prior to 18.3R3-S4 on MX Series; 18.4 versions prior to 18.4R3-S6 on MX Series; 19.1 versions prior to 19.1R2-S2, 19.1R3-S3 on MX Series; 19.2 versions prior to 19.2R3-S1 on MX Series; 19.3 versions prior to 19.3R2-S5, 19.3R3-S1 on MX Series; 19.4 versions prior to 19.4R3 on MX Series; 20.1 versions prior to 20.1R2 on MX Series; 20.2 versions prior to 20.2R2 on MX Series;

A sensitive information disclosure vulnerability in delta-export configuration utility (dexp) of Juniper Networks Junos OS may allow a locally authenticated shell user the ability to create and read database files generated by the dexp utility, including password hashes of local users. Since dexp is shipped with setuid permissions enabled and is owned by the root user, this vulnerability may allow a local privileged user the ability to run dexp with root privileges and access sensitive information in the dexp database. This issue affects Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S8; 15.1X49 versions prior to 15.1X49-D230; 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S6; 18.2X75 versions prior to 18.2X75-D34; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R2-S7, 18.4R3-S6; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S3; 19.2 versions prior to 19.2R1-S5, 19.2R3-S1; 19.3 versions prior to 19.3R2-S5, 19.3R3-S1; 19.4 versions prior to 19.4R1-S3, 19.4R2-S2, 19.4R3-S1; 20.1 versions prior to 20.1R1-S4, 20.1R2; 20.2 versions prior to 20.2R1-S2, 20.2R2.

On Juniper Networks EX4300-MP Series, EX4600 Series and QFX5K Series deployed in a Virtual Chassis configuration, receipt of a stream of specific layer 2 frames can cause high CPU load, which could lead to traffic interruption. This issue does not occur when the device is deployed in Stand Alone configuration. The offending layer 2 frame packets can originate only from within the broadcast domain where the device is connected. This issue affects Juniper Networks Junos OS on EX4300-MP Series, EX4600 Series and QFX5K Series: 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; 19.1 versions prior to 19.1R3-S2; 19.2 versions prior to 19.2R1-S5, 19.2R3; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2-S1, 19.4R3; 20.1 versions prior to 20.1R1-S3, 20.1R2.

On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is used to provide encrypted communication between the Juniper device and the authenticator services. Exploitation of this vulnerability may allow an attacker to decrypt the communications between the Juniper device and the authenticator service. This Web API service is used for authentication services such as the Juniper Identity Management Service, used to obtain user identity for Integrated User Firewall feature, or the integrated ClearPass authentication and enforcement feature. This issue affects Juniper Networks Junos OS on Networks SRX Series and NFX Series: 12.3X48 versions prior to 12.3X48-D105; 15.1X49 versions prior to 15.1X49-D190; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R2-S4, 18.3R3; 18.4 versions prior to 18.4R1-S7, 18.4R2; 19.1 versions prior to 19.1R2; 19.2 versions prior to 19.2R1-S4, 19.2R2.

On Juniper Networks EX4300-MP Series, EX4600 Series and QFX5K Series deployed in (Ethernet VPN) EVPN-(Virtual Extensible LAN) VXLAN configuration, receipt of a stream of specific VXLAN encapsulated layer 2 frames can cause high CPU load, which could lead to network protocol operation issue and traffic interruption. This issue affects devices that are configured as a Layer 2 or Layer 3 gateway of an EVPN-VXLAN deployment. The offending layer 2 frames that cause the issue originate from a different access switch that get encapsulated within the same EVPN-VXLAN domain. This issue affects Juniper Networks Junos OS on EX4300-MP Series, EX4600 Series and QFX5K Series: 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; 19.1 versions prior to 19.1R2-S2, 19.1R3-S2; 19.2 versions prior to 19.2R1-S5, 19.2R2-S1, 19.2R3; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2-S1, 19.4R3; 20.1 versions prior to 20.1R1-S3, 20.1R2.

On Juniper Networks Junos OS devices configured with DHCPv6 relay enabled, receipt of a specific DHCPv6 packet might crash the jdhcpd daemon. The jdhcpd daemon automatically restarts without intervention, but continuous receipt of specific crafted DHCP messages will repeatedly crash jdhcpd, leading to an extended Denial of Service (DoS) condition. Only DHCPv6 packet can trigger this issue. DHCPv4 packet cannot trigger this issue. This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S5; 18.3 versions prior to 18.3R2-S4, 18.3R3-S3; 18.4 versions prior to 18.4R2-S5, 18.4R3-S4; 19.1 versions prior to 19.1R2-S2, 19.1R3-S2; 19.2 versions prior to 19.2R1-S5, 19.2R2-S1, 19.2R3; 19.3 versions prior to 19.3R2-S4, 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2-S1, 19.4R3; 20.1 versions prior to 20.1R1-S3, 20.1R2.

On Juniper Networks EX4300 Series, receipt of a stream of specific IPv4 packets can cause Routing Engine (RE) high CPU load, which could lead to network protocol operation issue and traffic interruption. This specific packets can originate only from within the broadcast domain where the device is connected. This issue occurs when the packets enter to the IRB interface. Only IPv4 packets can trigger this issue. IPv6 packets cannot trigger this issue. This issue affects Juniper Networks Junos OS on EX4300 series: 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R2-S4, 18.4R3-S2; 19.1 versions prior to 19.1R2-S2, 19.1R3-S1; 19.2 versions prior to 19.2R1-S5, 19.2R2-S1, 19.2R3; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2; 20.1 versions prior to 20.1R1-S3, 20.1R2.

When DNS filtering is enabled on Juniper Networks Junos MX Series with one of the following cards MS-PIC, MS-MIC or MS-MPC, an incoming stream of packets processed by the Multiservices PIC Management Daemon (mspmand) process might be bypassed due to a race condition. Due to this vulnerability, mspmand process, responsible for managing "URL Filtering service", can crash, causing the Services PIC to restart. While the Services PIC is restarting, all PIC services including DNS filtering service (DNS sink holing) will be bypassed until the Services PIC completes its boot process. This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S8; 18.3 versions prior to 18.3R3-S1; 18.4 versions prior to 18.4R3; 19.1 versions prior to 19.1R3; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R3. This issue does not affect Juniper Networks Junos OS 17.4, 18.1, and 18.2.

On Juniper Networks MX Series and EX9200 Series, in a certain condition the IPv6 Distributed Denial of Service (DDoS) protection might not take affect when it reaches the threshold condition. The DDoS protection allows the device to continue to function while it is under DDoS attack, protecting both the Routing Engine (RE) and the Flexible PIC Concentrator (FPC) during the DDoS attack. When this issue occurs, the RE and/or the FPC can become overwhelmed, which could disrupt network protocol operations and/or interrupt traffic. This issue does not affect IPv4 DDoS protection. This issue affects MX Series and EX9200 Series with Trio-based PFEs (Packet Forwarding Engines). Please refer to https://kb.juniper.net/KB25385 for the list of Trio-based PFEs. This issue affects Juniper Networks Junos OS on MX series and EX9200 Series: 17.2 versions prior to 17.2R3-S4; 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.2 versions prior to 18.2R2-S7, 18.2R3, 18.2R3-S3; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2.

A stack buffer overflow vulnerability in the device control daemon (DCD) on Juniper Networks Junos OS allows a low privilege local user to create a Denial of Service (DoS) against the daemon or execute arbitrary code in the system with root privilege. This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S9; 17.4 versions prior to 17.4R2-S12, 17.4R3-S3; 18.1 versions prior to 18.1R3-S11; 18.2 versions prior to 18.2R3-S6; 18.2X75 versions prior to 18.2X75-D53, 18.2X75-D65; 18.3 versions prior to 18.3R2-S4, 18.3R3-S4; 18.4 versions prior to 18.4R2-S5, 18.4R3-S5; 19.1 versions prior to 19.1R3-S3; 19.2 versions prior to 19.2R1-S5, 19.2R3; 19.3 versions prior to 19.3R2-S4, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2-S2, 19.4R3; 20.1 versions prior to 20.1R1-S4, 20.1R2; 20.2 versions prior to 20.2R1-S1, 20.2R2. Versions of Junos OS prior to 17.3 are unaffected by this vulnerability.

On Juniper Networks Junos OS and Junos OS Evolved devices, BGP session flapping can lead to a routing process daemon (RPD) crash and restart, limiting the attack surface to configured BGP peers. This issue only affects devices with BGP damping in combination with accepted-prefix-limit configuration. When the issue occurs the following messages will appear in the /var/log/messages: rpd[6046]: %DAEMON-4-BGP_PREFIX_THRESH_EXCEEDED: XXXX (External AS x): Configured maximum accepted prefix-limit threshold(1800) exceeded for inet6-unicast nlri: 1984 (instance master) rpd[6046]: %DAEMON-3-BGP_CEASE_PREFIX_LIMIT_EXCEEDED: 2001:x:x:x::2 (External AS x): Shutting down peer due to exceeding configured maximum accepted prefix-limit(2000) for inet6-unicast nlri: 2001 (instance master) rpd[6046]: %DAEMON-4: bgp_rt_maxprefixes_check_common:9284: NOTIFICATION sent to 2001:x:x:x::2 (External AS x): code 6 (Cease) subcode 1 (Maximum Number of Prefixes Reached) AFI: 2 SAFI: 1 prefix limit 2000 kernel: %KERN-5: mastership_relinquish_on_process_exit: RPD crashed on master RE. Sending SIGUSR2 to chassisd (5612:chassisd) to trigger RE switchover This issue affects: Juniper Networks Junos OS: 17.2R3-S3; 17.3 version 17.3R3-S3 and later versions, prior to 17.3R3-S8; 17.4 version 17.4R2-S4, 17.4R3 and later versions, prior to 17.4R2-S10, 17.4R3-S2; 18.1 version 18.1R3-S6 and later versions, prior to 18.1R3-S10; 18.2 version 18.2R3 and later versions, prior to 18.2R3-S4; 18.2X75 version 18.2X75-D50, 18.2X75-D60 and later versions, prior to 18.2X75-D53, 18.2X75-D65; 18.3 version 18.3R2 and later versions, prior to 18.3R2-S4, 18.3R3-S2; 18.4 version 18.4R2 and later versions, prior to 18.4R2-S5, 18.4R3-S2; 19.1 version 19.1R1 and later versions, prior to 19.1R2-S2, 19.1R3-S1; 19.2 version 19.2R1 and later versions, prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2; 20.1 versions prior to 20.1R1-S2, 20.1R2. Juniper Networks Junos OS Evolved prior to 20.1R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R3-S3.

When DNS filtering is enabled on Juniper Networks Junos MX Series with one of the following cards MS-PIC, MS-MIC or MS-MPC, an incoming stream of packets processed by the Multiservices PIC Management Daemon (mspmand) process, responsible for managing "URL Filtering service", may crash, causing the Services PIC to restart. While the Services PIC is restarting, all PIC services including DNS filtering service (DNS sink holing) will be bypassed until the Services PIC completes its boot process. This vulnerability might allow an attacker to cause an extended Denial of Service (DoS) attack against the device and to cause clients to be vulnerable to DNS based attacks by malicious DNS servers when they send DNS requests through the device. As a result, devices which were once protected by the DNS Filtering service are no longer protected and at risk of exploitation. This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S8; 18.3 versions prior to 18.3R3-S1; 18.4 versions prior to 18.4R3; 19.1 versions prior to 19.1R3; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R3. This issue does not affect Juniper Networks Junos OS 17.4, 18.1, and 18.2.

The DHCPv6 Relay-Agent service, part of the Juniper Enhanced jdhcpd daemon shipped with Juniper Networks Junos OS has an Improper Input Validation vulnerability which will result in a Denial of Service (DoS) condition when a DHCPv6 client sends a specific DHPCv6 message allowing an attacker to potentially perform a Remote Code Execution (RCE) attack on the target device. Continuous receipt of the specific DHCPv6 client message will result in an extended Denial of Service (DoS) condition. If adjacent devices are also configured to relay DHCP packets, and are not affected by this issue and simply transparently forward unprocessed client DHCPv6 messages, then the attack vector can be a Network-based attack, instead of an Adjacent-device attack. No other DHCP services are affected. Receipt of the packet without configuration of the DHCPv6 Relay-Agent service, will not result in exploitability of this issue. This issue affects Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D95; 14.1X53 versions prior to 14.1X53-D53; 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D200; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S7; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S2; 17.2 versions prior to 17.2R3-S3; 17.2X75 versions prior to 17.2X75-D44; 17.3 versions prior to 17.3R3-S7; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S9; 18.2 versions prior to 18.2R2-S6, 18.2R3-S2; 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D33, 18.2X75-D435, 18.2X75-D60; 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3-S1; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3; 19.1 versions prior to 19.1R1-S4, 19.1R2; 19.2 versions prior to 19.2R1-S3, 19.2R2; 19.3 versions prior to 19.3R2.

When a device running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by L2TP, MAP-E, GRE, and IPIP, the packet forwarding engine (PFE) will become disabled upon receipt of large packets requiring fragmentation, generating the following error messages: [LOG: Err] MQSS(0): WO: Packet Error - Error Packets 1, Connection 29 [LOG: Err] eachip_hmcif_rx_intr_handler(7259): EA[0:0]: HMCIF Rx: Injected checksum error detected on WO response - Chunk Address 0x0 [LOG: Err] MQSS(0): DRD: RORD1: CMD reorder ID error - Command 11, Reorder ID 1838, QID 0 [LOG: Err] MQSS(0): DRD: UNROLL0: HMC chunk length error in stage 5 - Chunk Address: 0x4321f3 [LOG: Err] MQSS(0): DRD: UNROLL0: HMC chunk address error in stage 5 - Chunk Address: 0x0 [LOG: Notice] Error: /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc), scope: pfe, category: functional, severity: major, module: MQSS(0), type: DRD_RORD_ENG_INT: CMD FSM State Error [LOG: Notice] Performing action cmalarm for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major [LOG: Notice] Performing action get-state for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major [LOG: Notice] Performing action disable-pfe for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major By continuously sending fragmented packets that cannot be reassembled, an attacker can repeatedly disable the PFE causing a sustained Denial of Service (DoS). This issue affects Juniper Networks Junos OS: 17.2 versions prior to 17.2R3-S4 on MX Series; 17.3 versions prior to 17.3R3-S8 on MX Series; 17.4 versions prior to 17.4R2-S10, 17.4R3-S2 on MX Series; 18.1 versions prior to 18.1R3-S10 on MX Series; 18.2 versions prior to 18.2R3-S3 on MX Series; 18.2X75 versions prior to 18.2X75-D41, 18.2X75-D430, 18.2X75-D65 on MX Series; 18.3 versions prior to 18.3R1-S7, 18.3R2-S4, 18.3R3-S1 on MX Series; 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3 on MX Series; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3 on MX Series; 19.2 versions prior to 19.2R1-S4, 19.2R2 on MX Series; 19.3 versions prior to 19.3R2-S2, 19.3R3 on MX Series. This issue is specific to inline IP reassembly, introduced in Junos OS 17.2. Versions of Junos OS prior to 17.2 are unaffected by this vulnerability.

On Juniper Networks MX series, receipt of a stream of specific Layer 2 frames may cause a memory leak resulting in the packet forwarding engine (PFE) on the line card to crash and restart, causing traffic interruption. By continuously sending this stream of specific layer 2 frame, an attacker connected to the same broadcast domain can repeatedly crash the PFE, causing a prolonged Denial of Service (DoS). This issue affects Juniper Networks Junos OS on MX Series: 17.2 versions prior to 17.2R3-S4; 17.2X75 versions prior to 17.2X75-D105.19; 17.3 versions prior to 17.3R3-S7; 17.4 versions prior to 17.4R1-S3, 17.4R2; 18.1 versions prior to 18.1R2. This issue does not affect Juniper Networks Junos OS releases prior to 17.2R1.

When a device running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by L2TP, MAP-E, GRE, and IPIP, the packet forwarding engine (PFE) will become disabled upon receipt of small fragments requiring reassembly, generating the following error messages: [LOG: Err] MQSS(2): WO: Packet Error - Error Packets 1, Connection 29 [LOG: Err] eachip_hmcif_rx_intr_handler(7259): EA[2:0]: HMCIF Rx: Injected checksum error detected on WO response - Chunk Address 0x0 [LOG: Err] MQSS(2): DRD: RORD1: CMD reorder ID error - Command 11, Reorder ID 1960, QID 0 [LOG: Err] MQSS(2): DRD: UNROLL0: HMC chunk address error in stage 5 - Chunk Address: 0xc38fb1 [LOG: Notice] Error: /fpc/0/pfe/0/cm/0/MQSS(2)/2/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc), scope: pfe, category: functional, severity: major, module: MQSS(2), type: DRD_RORD_ENG_INT: CMD FSM State Error [LOG: Notice] Performing action cmalarm for error /fpc/0/pfe/0/cm/0/MQSS(2)/2/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(2) with scope: pfe category: functional level: major [LOG: Notice] Performing action get-state for error /fpc/0/pfe/0/cm/0/MQSS(2)/2/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(2) with scope: pfe category: functional level: major [LOG: Notice] Performing action disable-pfe for error /fpc/0/pfe/0/cm/0/MQSS(2)/2/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(2) with scope: pfe category: functional level: major By continuously sending fragmented packets that cannot be reassembled, an attacker can repeatedly disable the PFE causing a sustained Denial of Service (DoS). This issue affects Juniper Networks Junos OS: 17.2 versions prior to 17.2R3-S4 on MX Series; 17.3 versions prior to 17.3R3-S8 on MX Series; 17.4 versions prior to 17.4R2-S9, 17.4R3-S1 on MX Series; 18.1 versions prior to 18.1R3-S10 on MX Series; 18.2 versions prior to 18.2R2-S6, 18.2R3-S3 on MX Series; 18.2X75 versions prior to 18.2X75-D34, 18.2X75-D41, 18.2X75-D53, 18.2X75-D65, 18.2X75-D430 on MX Series; 18.3 versions prior to 18.3R1-S7, 18.3R2-S4, 18.3R3-S2 on MX Series; 18.4 versions prior to 18.4R1-S6, 18.4R2-S4, 18.4R3 on MX Series; 19.1 versions prior to 19.1R1-S4, 19.1R2-S1, 19.1R3 on MX Series; 19.2 versions prior to 19.2R1-S3, 19.2R2 on MX Series; 19.3 versions prior to 19.3R2-S2, 19.3R3 on MX Series. This issue is specific to inline IP reassembly, introduced in Junos OS 17.2. Versions of Junos OS prior to 17.2 are unaffected by this vulnerability.

When DNS filtering is enabled on Juniper Networks Junos MX Series with one of the following cards MS-PIC, MS-MIC or MS-MPC, an incoming stream of packets processed by the Multiservices PIC Management Daemon (mspmand) process, responsible for managing "URL Filtering service", may crash, causing the Services PIC to restart. While the Services PIC is restarting, all PIC services including DNS filtering service (DNS sink holing) will be bypassed until the Services PIC completes its boot process. If the issue occurs, system core-dumps output will show a crash of mspmand process: root@device> show system core-dumps -rw-rw---- 1 nobody wheel 575685123 <Date> /var/tmp/pics/mspmand.core.<*>.gz This issue affects Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S8; 18.3 versions prior to 18.3R2-S4, 18.3R3-S1; 18.4 versions prior to 18.4R2-S5, 18.4R3; 19.1 versions prior to 19.1R2-S2, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2. This issue does not affect Juniper Networks Junos OS releases prior to 17.3R2.

On Juniper Networks Junos OS and Junos OS Evolved devices, the receipt of a specific BGP UPDATE packet causes an internal counter to be incremented incorrectly, which over time can lead to the routing protocols process (RPD) crash and restart. This issue affects both IBGP and EBGP multihop deployment in IPv4 or IPv6 network. This issue affects: Juniper Networks Junos OS: 17.2X75 versions prior to 17.2X75-D105.19; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S10, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.2X75 versions prior to 18.2X75-D13, 18.2X75-D411.1, 18.2X75-D420.18, 18.2X75-D52.3, 18.2X75-D60; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3-S2; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3; 19.2 versions prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S2, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2. Juniper Networks Junos OS Evolved: any releases prior to 20.1R2-EVO. This issue does not affect Juniper Networks Junos OS releases prior to 17.3R1.

Execution of the "show ospf interface extensive" or "show ospf interface detail" CLI commands on a Juniper Networks device running Junos OS may cause the routing protocols process (RPD) to crash and restart if OSPF interface authentication is configured, leading to a Denial of Service (DoS). By continuously executing the same CLI commands, a local attacker can repeatedly crash the RPD process causing a sustained Denial of Service. Note: Only systems utilizing ARM processors, found on the EX2300 and EX3400, are vulnerable to this issue. Systems shipped with other processor architectures are not vulnerable to this issue. The processor architecture can be displayed via the 'uname -a' command. For example: ARM (vulnerable): % uname -a | awk '{print $NF}' arm PowerPC (not vulnerable): % uname -a | awk '{print $NF}' powerpc AMD (not vulnerable): % uname -a | awk '{print $NF}' amd64 Intel (not vulnerable): % uname -a | awk '{print $NF}' i386 This issue affects Juniper Networks Junos OS: 12.3X48 versions prior to 12.3X48-D100; 14.1X53 versions prior to 14.1X53-D140, 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D210; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S8; 17.1 versions prior to 17.1R2-S12; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S2, 17.4R3; 18.1 versions prior to 18.1R3-S2; 18.2 versions prior to 18.2R2, 18.2R3; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S2, 18.3R2.