Vulnerabilities > CVE-2023-22409 - Improper Validation of Specified Quantity in Input vulnerability in Juniper Junos

CVSS 5.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

local

low complexity

juniper

CWE-1284

NVD

Published: 2023-01-13

Updated: 2023-01-24

Summary

An Unchecked Input for Loop Condition vulnerability in a NAT library of Juniper Networks Junos OS allows a local authenticated attacker with low privileges to cause a Denial of Service (DoS). When an inconsistent "deterministic NAT" configuration is present on an SRX, or MX with SPC3 and then a specific CLI command is issued the SPC will crash and restart. Repeated execution of this command will lead to a sustained DoS. Such a configuration is characterized by the total number of port blocks being greater than the total number of hosts. An example for such configuration is: [ services nat source pool TEST-POOL address x.x.x.0/32 to x.x.x.15/32 ] [ services nat source pool TEST-POOL port deterministic block-size 1008 ] [ services nat source pool TEST-POOL port deterministic host address y.y.y.0/24] [ services nat source pool TEST-POOL port deterministic include-boundary-addresses] where according to the following calculation: 65536-1024=64512 (number of usable ports per IP address, implicit) 64512/1008=64 (number of port blocks per Nat IP) x.x.x.0/32 to x.x.x.15/32 = 16 (NAT IP addresses available in NAT pool) total port blocks in NAT Pool = 64 blocks per IP * 16 IPs = 1024 Port blocks host address y.y.y.0/24 = 256 hosts (with include-boundary-addresses) If the port block size is configured to be 4032, then the total port blocks are (64512/4032) * 16 = 256 which is equivalent to the total host addresses of 256, and the issue will not be seen. This issue affects Juniper Networks Junos OS on SRX Series, and MX Series with SPC3: All versions prior to 19.4R3-S10; 20.1 version 20.1R1 and later versions; 20.2 versions prior to 20.2R3-S6; 20.3 versions prior to 20.3R3-S6; 20.4 versions prior to 20.4R3-S5; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S3; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S1; 22.1 versions prior to 22.1R2-S2, 22.1R3; 22.2 versions prior to 22.2R2.

Vulnerable Configurations

Part	Description	Count
OS	Juniper Juniper Junos - Juniper Junos 4.0 Juniper Junos 4.1 Juniper Junos 4.2 Juniper Junos 4.3 Juniper Junos 4.4 Juniper Junos 5.0 Juniper Junos 5.0R3 Juniper Junos 5.0R4 Juniper Junos 5.1 Juniper Junos 5.2 Juniper Junos 5.3 Juniper Junos 5.4 Juniper Junos 5.5 Juniper Junos 5.6 Juniper Junos 5.7 Juniper Junos 6.0 Juniper Junos 6.1 Juniper Junos 6.2 Juniper Junos 6.3 Juniper Junos 6.4 Juniper Junos 7.0 Juniper Junos 7.1 Juniper Junos 7.2 Juniper Junos 7.3 Juniper Junos 7.4 Juniper Junos 7.5 Juniper Junos 7.6 Juniper Junos 8.0 Juniper Junos 8.1 Juniper Junos 8.2 Juniper Junos 8.3 Juniper Junos 8.4 Juniper Junos 9.0 Juniper Junos 9.1 Juniper Junos 9.2 Juniper Junos 9.4 Juniper Junos 9.5 Juniper Junos 9.6 Juniper Junos 10.0 Juniper Junos 10.1 Juniper Junos 10.2 Juniper Junos 10.3 Juniper Junos 10.4 Juniper Junos 10.4R Juniper Junos 10.4S Juniper Junos 11.0 Juniper Junos 11.1 Juniper Junos 11.2 Juniper Junos 11.3 Juniper Junos 11.4 Juniper Junos 11.4R13 Juniper Junos 11.4X27 Juniper Junos 12.1 Juniper Junos 12.1R Juniper Junos 12.1X44 Juniper Junos 12.1X45 Juniper Junos 12.1X46 Juniper Junos 12.1X46-D10 Juniper Junos 12.1X47 Juniper Junos 12.2 Juniper Junos 12.2X50 Juniper Junos 12.2X65 Juniper Junos 12.3 Juniper Junos 12.3R12 Juniper Junos 12.3X48 Juniper Junos 12.3X50 Juniper Junos 13.1 Juniper Junos 13.1X49 Juniper Junos 13.1X50 Juniper Junos 13.2 Juniper Junos 13.2X51 Juniper Junos 13.2X52 Juniper Junos 13.3 Juniper Junos 13.3R9 Juniper Junos 14.1 Juniper Junos 14.1R7 Juniper Junos 14.1X50 Juniper Junos 14.1X51 Juniper Junos 14.1X53 Juniper Junos 14.1X53-D10 Juniper Junos 14.1X53-D15 Juniper Junos 14.1X53-D25 Juniper Junos 14.1X53-D26 Juniper Junos 14.1X53-D27 Juniper Junos 14.1X53-D30 Juniper Junos 14.1X53-D35 Juniper Junos 14.1X55 Juniper Junos 14.2 Juniper Junos 14.2R6 Juniper Junos 15.1 Juniper Junos 15.1F6-S1 Juniper Junos 15.1F6-S2 Juniper Junos 15.1F6-S4 Juniper Junos 15.1F6-S5 Juniper Junos 15.1F6-S6 Juniper Junos 15.1F6-S7 Juniper Junos 15.1F6-S8 Juniper Junos 15.1F6-S9 Juniper Junos 15.1F6-S10 Juniper Junos 15.1F6-S11 Juniper Junos 15.1R2 Juniper Junos 15.1R7-S3 Juniper Junos 15.1X8 Juniper Junos 15.1X49 Juniper Junos 15.1X49-D30 Juniper Junos 15.1X49-D60 Juniper Junos 15.1X49-D140 Juniper Junos 15.1X49-D150 Juniper Junos 15.1X49-D160 Juniper Junos 15.1X53 Juniper Junos 15.1X53-D50 Juniper Junos 15.1X53-D51 Juniper Junos 15.1X53-D52 Juniper Junos 15.1X53-D55 Juniper Junos 15.1X53-D57 Juniper Junos 15.1X53-D58 Juniper Junos 15.1X53-D59 Juniper Junos 15.1X53-D69 Juniper Junos 15.1X53-D235 Juniper Junos 15.1X53-D495 Juniper Junos 15.1X53-D591 Juniper Junos 15.1X54 Juniper Junos 15.2 Juniper Junos 16 Juniper Junos 16.1 Juniper Junos 16.1R4-S12 Juniper Junos 16.1R6-S6 Juniper Junos 16.1R7-S3 Juniper Junos 16.1X65 Juniper Junos 16.1X70 Juniper Junos 16.2 Juniper Junos 17.1 Juniper Junos 17.1R3 Juniper Junos 17.2 Juniper Junos 17.2R3 Juniper Junos 17.2X75 Juniper Junos 17.3 Juniper Junos 17.3R3 Juniper Junos 17.3R3-S2 Juniper Junos 17.3R4 Juniper Junos 17.4 Juniper Junos 17.4R2 Juniper Junos 17.4R2-S1 Juniper Junos 17.4R2-S2 Juniper Junos 17.4R3 Juniper Junos 18 Juniper Junos 18.1 Juniper Junos 18.1R Juniper Junos 18.1R3-S1 Juniper Junos 18.1R4 Juniper Junos 18.1X75 Juniper Junos 18.2 Juniper Junos 18.2R Juniper Junos 18.2R2 Juniper Junos 18.2X75 Juniper Junos 18.2X75-D10 Juniper Junos 18.2X75-D30 Juniper Junos 18.3 Juniper Junos 18.3R Juniper Junos 18.3R2 Juniper Junos 18.4 Juniper Junos 19.1 Juniper Junos 19.2 Juniper Junos 19.3 Juniper Junos 19.4 Juniper Junos 20.1 Juniper Junos 20.2 Juniper Junos 20.3 Juniper Junos 20.4 Juniper Junos 21.1 Juniper Junos 21.2 Juniper Junos 21.3 Juniper Junos 21.4 Juniper Junos 22.1 Juniper Junos 22.2	991
Hardware	Juniper Juniper Mx10 - Juniper Mx10000 - Juniper Mx10003 - Juniper Mx10008 - Juniper Mx10016 - Juniper Mx104 - Juniper Mx150 - Juniper Mx2008 - Juniper Mx2010 - Juniper Mx2020 - Juniper Mx204 - Juniper Mx240 - Juniper Mx40 - Juniper Mx480 - Juniper MX5 - Juniper Mx80 - Juniper Mx960 - Juniper Srx100 - Juniper Srx110 - Juniper Srx1400 - Juniper Srx1500 - Juniper Srx210 - Juniper Srx220 - Juniper Srx240 - Juniper Srx240H2 - Juniper Srx240M - Juniper Srx300 - Juniper Srx320 - Juniper Srx340 - Juniper Srx3400 - Juniper Srx345 - Juniper Srx3600 - Juniper Srx380 - Juniper Srx4000 - Juniper Srx4100 - Juniper Srx4200 - Juniper Srx4600 - Juniper Srx5000 - Juniper Srx5400 - Juniper Srx550 - Juniper Srx550 HM - Juniper Srx550M - Juniper Srx5600 - Juniper Srx5800 - Juniper Srx650 -	45

Common Weakness Enumeration (CWE)

CWE-1284 - Improper Validation of Specified Quantity in Input

References

https://kb.juniper.net/JSA70205