Juniper Networks Junos OS and Junos OS Evolved Buffer Over-Read Vulnerability in BGP Processing Leading to Denial-of-Service

A buffer over-read vulnerability has been identified in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows an unauthenticated, network-based attacker to cause a denial-of-service (DoS) condition. The issue arises when an affected device receives a BGP update containing specific optional transitive attributes over an established peering session. rpd crashes and restarts while attempting to advertise the received information to another peer. This vulnerability occurs only if one or both BGP peers in the receiving session are non-4-byte-AS capable, as indicated by the advertised capabilities during BGP session establishment. By default, Junos OS and Junos OS Evolved are 4-byte-AS capable, unless this feature has been explicitly disabled. The vulnerability affects all versions of Junos OS and Junos OS Evolved prior to the respective fixed releases.

Impact

Exploitation of this vulnerability causes the routing protocol daemon (rpd) to crash and restart, disrupting BGP operations and potentially causing a temporary loss of routing information.

Remediation

Users can upgrade to Junos OS versions 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S2, 24.4R2, 25.2R1, and all subsequent releases. For Junos OS Evolved, the updated versions are 22.4R3-S8-EVO, 23.2R2-S5-EVO, 23.4R2-S6-EVO, 24.2R2-S2-EVO, 24.4R2-EVO, 25.2R1-EVO, and all subsequent releases.