QID 44023
Date Published: 2023-04-27
QID 44023: Juniper Network Operating System (Junos OS) Unexpected Data Type Vulnerability (JSA70586)
Juniper Junos is the network operating system used in Juniper Networks hardware systems.
An Improper Handling of Unexpected Data Type vulnerability in IPv6 firewall filter processing of Juniper Networks Junos OS on the ACX Series devices will prevent a firewall filter with the term 'from next-header ah' from being properly installed in the packet forwarding engine (PFE). There is no immediate indication of an incomplete firewall filter commit shown at the CLI, which could allow an attacker to send valid packets to or through the device that were explicitly intended to be dropped.
Affected Junos versions:
Juniper Networks Junos OS on ACX Series
All versions prior to 20.2R3-S7;
20.4 versions prior to 20.4R3-S4;
21.1 versions prior to 21.1R3-S3;
21.2 versions prior to 21.2R3-S4;
21.3 versions prior to 21.3R3;
21.4 versions prior to 21.4R3;
22.1 versions prior to 22.1R2.
QID detection logic: (Authenticated)
It checks for vulnerable Junos OS version.
Successful exploitation allows an attacker to send valid packets to or through the device that were explicitly intended to be dropped.
- JSA70586 -
kb.juniper.net/JSA70586
supportportal.juniper.net/s/article/2023-04-Security-Bulletin-Junos-OS-ACX-Series-IPv6-firewall-filter-is-not-installed-in-PFE-when-from-next-header-ah-is-used-CVE-2023-28961?language=en_US