Juniper Networks Junos OS and Junos OS Evolved Untrusted Pointer Dereference Vulnerability in Routing Protocol Daemon Leading to Denial-of-Service

A vulnerability allowing untrusted pointer dereference has been identified in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows a local, authenticated attacker with low privileges to cause a denial-of-service condition. The issue arises when the command 'show route < ( receive-protocol | advertising-protocol ) bgp > detail' is executed, and at least one of the routes in the output has specific attributes, leading to an rpd crash and restart. The 'show route ... extensive' command is not affected. This vulnerability impacts all versions of Junos OS and Junos OS Evolved prior to specific release updates.

Impact

Exploitation of this vulnerability causes the routing protocol daemon (rpd) to crash and restart, disrupting routing processes and potentially leading to temporary network instability.

Remediation

Users can upgrade to Junos OS versions 22.4R3-S8, 23.2R2-S5, 23.4R2-S5, 24.2R2-S2, 24.4R2, 25.2R1, and all subsequent releases. For Junos OS Evolved, versions 22.4R3-S8-EVO, 23.2R2-S5-EVO, 23.4R2-S6-EVO, 24.2R2-S2-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases are available. Additionally, access lists or firewall filters can be used to limit CLI access to trusted hosts and administrators, and CLI authorization can be implemented to prevent the execution of the 'show route' command with the 'detail' option.