CVE-2022-22180: 2022-01 Security Bulletin: Junos OS: EX2300 Series, EX2300-MP Series, EX3400 Series: A slow memory leak due to processing of specific IPv6 packets (CVE-2022-22180)

• printer Print
• border_color Report a Security Vulnerability

2022-01 Security Bulletin: Junos OS: EX2300 Series, EX2300-MP Series, EX3400 Series: A slow memory leak due to processing of specific IPv6 packets (CVE-2022-22180)

Article ID: JSA11286 SECURITY_ADVISORIES Last Updated: 12 Jan 2022Version: 1.0 Product Affected:

This issue affects Junos OS 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3, 20.4, 21.1, 21.2, 21.3. Affected platforms: EX2300 Series, EX2300-MP Series, EX3400 Series.

Problem:

An Improper Check for Unusual or Exceptional Conditions vulnerability in the processing of specific IPv6 packets on certain EX Series devices may lead to exhaustion of DMA memory causing a Denial of Service (DoS). Over time, exploitation of this vulnerability may cause traffic to stop being forwarded, or a crash of the fxpc process.

An indication of the issue occurring may be observed through the following log messages:

Sep 13 17:14:59 hostname : %PFE-3: fpc0 (buf alloc) failed allocating packet buffer
Sep 13 17:14:59 hostname : %PFE-7: fpc0 brcm_pkt_buf_alloc:393 (buf alloc) failed allocating packet buffer

When Packet DMA heap utilization reaches 99%, the system will become unstable. Packet DMA heap utilization can be monitored using the command:

user@junos# request pfe execute target fpc0 timeout 30 command "show heap"
ID Base Total(b) Free(b) Used(b) % Name
-- ---------- ----------- ----------- ----------- --- -----------
0 213301a8 536870488 387228840 149641648 27 Kernel
1 91800000 8388608 3735120 4653488 55 DMA
2 92000000 75497472 74452192 1045280 1 PKT DMA DESC
3 d330000 335544320 257091400 78452920 23 Bcm_sdk
4 96800000 184549376 2408 184546968 99 Packet DMA <<<<
5 903fffe0 20971504 20971504 0 0 Blob

This issue affects:

Juniper Networks Junos OS

• 18.4 versions prior to 18.4R2-S10, 18.4R3-S10 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 19.1 versions prior to 19.1R3-S7 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 19.2 versions prior to 19.2R1-S8, 19.2R3-S4 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 19.3 versions prior to 19.3R3-S5 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 19.4 versions prior to 19.4R3-S7 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 20.1 versions prior to 20.1R3-S3 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 20.2 versions prior to 20.2R3-S3 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 20.3 versions prior to 20.3R3-S2 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 20.4 versions prior to 20.4R3-S1 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 21.1 versions prior to 21.1R2-S2, 21.1R3 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 21.2 versions prior to 21.2R1-S2, 21.2R2 on EX2300 Series, EX2300-MP Series, EX3400 Series;
• 21.3 versions prior to 21.3R1-S1, 21.3R2 on EX2300 Series, EX2300-MP Series, EX3400 Series.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2022-22180.

Solution:

The following software releases have been updated to resolve this specific issue: 18.4R2-S10, 18.4R3-S10, 19.1R3-S7, 19.2R1-S8, 19.2R3-S4, 19.4R3-S7, 20.1R3-S3, 20.2R3-S3, 20.3R3-S2, 20.4R3-S1, 21.1R2-S2, 21.1R3, 21.2R1-S2, 21.2R2, 21.2R3, 21.3R1-S1, 21.3R2, 21.4R1, and all subsequent releases.

This issue is being tracked as 1619970.

Workaround:

If IPv6 is not used in the environment, to prevent the issue an administrator can apply a firewall filter for blocking IPv6 packets on the ingress port where the traffic might be received:

[firewall family ethernet-switching filter BLOCK-IPv6 interface-specific]
[firewall family ethernet-switching filter BLOCK-IPv6 term 1 from ether-type ipv6]
[firewall family ethernet-switching filter BLOCK-IPv6 term 1 then discard]
[firewall family ethernet-switching filter BLOCK-IPv6 term 1 then count BLOCK-IPv6_COUNT]
[firewall family ethernet-switching filter BLOCK-IPv6 term default then accept]
[interfaces <interface ID> family ethernet-switching filter input BLOCK-IPv6]

Implementation:

Software releases or updates are available for download at https://support.juniper.net/support/downloads/

Modification History:

2022-01-12: Initial Publication.

CVSS Score:

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Severity Level:

High

Severity Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”

Related Links

• KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process
• KB16765: In which releases are vulnerabilities fixed?
• KB16446: Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories
• Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team
• CVE-2022-22180: A slow memory leak due to processing of specific IPv6 packets

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

• Junos
• EX Series
• EX2300
• EX3400
• SIRT Advisory