CVE-2022-22179: 2022-01 Security Bulletin: Junos OS: jdhcpd crashes upon receiving a specific DHCP packet (CVE-2022-22179)

• printer Print
• border_color Report a Security Vulnerability

2022-01 Security Bulletin: Junos OS: jdhcpd crashes upon receiving a specific DHCP packet (CVE-2022-22179)

Article ID: JSA11285 SECURITY_ADVISORIES Last Updated: 12 Jan 2022Version: 1.0 Product Affected:

This issue affects Junos OS 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3, 20.4, 21.1, 21.2, 21.3.

Problem:

A Improper Validation of Specified Index, Position, or Offset in Input vulnerability in the Juniper DHCP daemon (jdhcpd) of Juniper Networks Junos OS allows an adjacent unauthenticated attacker to cause a crash of jdhcpd and thereby a Denial of Service (DoS).

In a scenario where DHCP relay or local server is configured the problem can be triggered if a DHCPv4 packet with specific options is received leading to a corruption of the options read from the packet. This corruption can then lead to jdhcpd crash and restart.

This issue affects Juniper Networks Junos OS:

• 17.4R1 and later versions prior to 18.4R3-S10;
• 19.1 versions prior to 19.1R3-S7;
• 19.2 versions prior to 19.2R1-S8, 19.2R3-S4;
• 19.3 versions prior to 19.3R3-S4;
• 19.4 versions prior to 19.4R3-S6;
• 20.1 versions prior to 20.1R3-S2;
• 20.2 versions prior to 20.2R3-S3;
• 20.3 versions prior to 20.3R3-S2;
• 20.4 versions prior to 20.4R3-S1;
• 21.1 versions prior to 21.1R2-S2, 21.1R3;
• 21.2 versions prior to 21.2R1-S2, 21.2R2, 21.2R3;
• 21.3 versions prior to 21.3R1-S1, 21.3R2.

To be affected a device must be configured with:

[ forwarding-options dhcp-relay group <group-name> interface … ]

or

[ system services dhcp-local-server group <group-name> interface … ]

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2022-22179.

Solution:

The following software releases have been updated to resolve this specific issue: 18.4R3-S10, 19.1R3-S7, 19.2R1-S8, 19.2R3-S4, 19.3R3-S4, 19.4R3-S6, 20.1R3-S2, 20.2R3-S3, 20.3R3-S2, 20.4R3-S1, 21.1R2-S2, 21.1R3, 21.2R1-S2, 21.2R2, 21.2R3, 21.3R1-S1, 21.3R2, 21.4R1, and all subsequent releases.

This issue is being tracked as 1618977.

Workaround:

There are no viable workarounds for this issue.

Implementation:

Software releases or updates are available for download at https://support.juniper.net/support/downloads/

Modification History:

2022-01-12: Initial Publication.

CVSS Score:

6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Severity Level:

Medium

Severity Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”

Related Links

• KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process
• KB16765: In which releases are vulnerabilities fixed?
• KB16446: Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories
• Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team
• CVE-2022-22179 at cve.org

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

• Junos
• MX-series
• EX Series
• SRX Series
• QFX Series
• NFX Series
• PTX Series
• SIRT Advisory
• ACX Series