Juniper Networks Junos OS Improper Condition Check in Flow Processing Daemon Leading to Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the flow processing daemon (flowd) of Juniper Networks Junos OS. This issue affects SRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3. The vulnerability allows an unauthenticated, network-based attacker to cause a flowd crash and restart by sending a sequence of specific PIM packets. The vulnerability is present in all Junos OS versions prior to 21.2R3-S9, 21.4 versions prior to 21.4R3-S11, 22.2 versions prior to 22.2R3-S7, 22.4 versions prior to 22.4R3-S6, 23.2 versions prior to 23.2R2-S4, 23.4 versions prior to 23.4R2-S4, and 24.2 versions prior to 24.2R2.

Impact

Exploitation of this vulnerability causes the flowd process to crash and restart, disrupting normal flow processing operations.

Remediation

Users can update to Junos OS versions 21.2R3-S9, 21.4R3-S11, 22.2R3-S7, 22.4R3-S6, 23.2R2-S4, 23.4R2-S4, 24.2R2, 24.4R1, and all subsequent releases. For SRX Series devices, minimize the PIM session timeout value to be less than 5 seconds to avoid data session creation errors.