Juniper Networks Junos OS and Junos OS Evolved Routing Protocol Daemon Use-After-Free Vulnerability Leading to Denial-of-Service

A use-after-free vulnerability has been identified in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows an attacker to cause a denial-of-service (DoS) condition by sending a Border Gateway Protocol (BGP) update with a malformed AS PATH attribute. The issue arises when BGP traceoptions are enabled, causing the rpd process to crash and restart upon receipt of the malformed AS PATH. Continuous receipt of such BGP updates can lead to a sustained DoS condition. The vulnerability affects all Junos OS and Junos OS Evolved platforms with BGP traceoptions enabled, and requires an established BGP session.

Impact

Exploitation of this vulnerability causes the rpd process to crash and restart, disrupting BGP operations and potentially leading to a sustained denial-of-service condition on the affected device.

Remediation

Users can disable BGP traceoptions if they are not actively needed for troubleshooting. The vulnerability has been fixed in Junos OS versions 21.2R3-S9, 22.2R3-S6, 22.4R3-S5, 23.2R2-S3, 23.4R2-S4, 24.2R2, 24.4R1, and all subsequent releases. For Junos OS Evolved, the fixed versions are 22.4R3-S5-EVO, 23.2R2-S3-EVO, 23.4R2-S4-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases.