Juniper Networks Junos OS IPsec Library Denial-of-Service Vulnerability on SRX and MX Series

A denial-of-service vulnerability has been identified in the IPsec library used by the kmd and iked processes of Juniper Networks Junos OS, specifically on SRX Series and MX Series devices. This vulnerability allows an unauthenticated, network-based attacker to cause the kmd/iked process to crash and restart by sending a malformed first ISAKMP packet. The crash temporarily disrupts the establishment of new security associations (SAs), and repeated exploitation leads to a complete failure in establishing new VPN connections. This issue affects all Junos OS versions prior to 22.4R3-S9, as well as specific versions in the 23.x and 24.x series.

Impact

Exploitation of this vulnerability causes the kmd/iked process to crash, disrupts the establishment of new VPN connections, and can lead to a complete inability to create new security associations on the affected device.

Remediation

Users can upgrade to Junos OS versions 22.4R3-S9, 23.2R2-S6, 23.4R2-S7, 24.2R2-S4, 24.4R2-S3, 25.2R1-S2, 25.2R2, 25.4R1, or any subsequent release. For more information, refer to Juniper's vulnerability tracking PR1909025.