Juniper Networks Junos OS Evolved PTX Series Improper Firewall Filter Handling Vulnerability

A vulnerability has been identified in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved, specifically on PTX Series devices. This vulnerability allows an unauthenticated, network-based attacker to impact the confidentiality and availability of the affected device. The issue arises when an output firewall filter is set to 'reject' for certain terms. Packets matching these terms are incorrectly forwarded to the Routing Engine (RE) for additional processing. This misrouting consumes limited RE resources and can lead to the unintentional disclosure of confidential information about the device. The vulnerability is only relevant for firewall filters applied to WAN or revenue interfaces, excluding the management or loopback interfaces of the routing engine.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by consuming Routing Engine resources, potentially leading to interface flaps. Additionally, the vulnerability can cause a confidentiality breach by allowing unauthorized disclosure of device information.

Remediation

Users can upgrade to Junos OS Evolved versions 22.4R3-EVO or 23.2R2-EVO to address this vulnerability.