A vulnerability due to the improper handling of direct memory access (DMA) buffers on EX4300 switches on Juniper Networks Junos OS allows an attacker sending specific unicast frames to trigger a Denial of Service (DoS) condition by exhausting DMA buffers, causing the FPC to crash and the device to restart. The DMA buffer leak is seen when receiving these specific, valid unicast frames on an interface without Layer 2 Protocol Tunneling (L2PT) or dot1x configured. Interfaces with either L2PT or dot1x configured are not vulnerable to this issue. When this issue occurs, DMA buffer usage keeps increasing and the following error log messages may be observed: Apr 14 14:29:34.360 /kernel: pid 64476 (pfex_junos), uid 0: exited on signal 11 (core dumped) Apr 14 14:29:33.790 init: pfe-manager (PID 64476) terminated by signal number 11. Core dumped! The DMA buffers on the FPC can be monitored by the executing vty command show heap: ID Base Total(b) Free(b) Used(b) % Name – ———- ———– ———– ———– — ———– 0 4a46000 268435456 238230496 30204960 11 Kernel 1 18a46000 67108864 17618536 49490328 73 Bcm_sdk 2 23737000 117440512 18414552 99025960 84 DMA buf ««< keeps increasing 3 2a737000 16777216 16777216 0 0 DMA desc This issue affects Juniper Networks Junos OS on the EX4300: 17.3 versions prior to 17.3R3-S11; 17.4 versions prior to 17.4R2-S13, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R2-S8, 18.2R3-S7; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S7, 18.4R3-S7; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S4; 19.2 versions prior to 19.2R1-S6, 19.2R3-S2; 19.3 versions prior to 19.3R3-S2; 19.4 versions prior to 19.4R2-S3, 19.4R3-S1; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R2-S1, 20.2R3; 20.3 versions prior to 20.3R1-S1, 20.3R2.
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Junos | Juniper | 17.3 (including) | 17.3 (including) |
| Junos | Juniper | 17.3-r1 (including) | 17.3-r1 (including) |
| Junos | Juniper | 17.3-r1-s1 (including) | 17.3-r1-s1 (including) |
| Junos | Juniper | 17.3-r1-s4 (including) | 17.3-r1-s4 (including) |
| Junos | Juniper | 17.3-r2 (including) | 17.3-r2 (including) |
| Junos | Juniper | 17.3-r2-s1 (including) | 17.3-r2-s1 (including) |
| Junos | Juniper | 17.3-r2-s2 (including) | 17.3-r2-s2 (including) |
| Junos | Juniper | 17.3-r2-s3 (including) | 17.3-r2-s3 (including) |
| Junos | Juniper | 17.3-r2-s4 (including) | 17.3-r2-s4 (including) |
| Junos | Juniper | 17.3-r2-s5 (including) | 17.3-r2-s5 (including) |
| Junos | Juniper | 17.3-r3 (including) | 17.3-r3 (including) |
| Junos | Juniper | 17.3-r3-s1 (including) | 17.3-r3-s1 (including) |
| Junos | Juniper | 17.3-r3-s10 (including) | 17.3-r3-s10 (including) |
| Junos | Juniper | 17.3-r3-s2 (including) | 17.3-r3-s2 (including) |
| Junos | Juniper | 17.3-r3-s3 (including) | 17.3-r3-s3 (including) |
| Junos | Juniper | 17.3-r3-s4 (including) | 17.3-r3-s4 (including) |
| Junos | Juniper | 17.3-r3-s5 (including) | 17.3-r3-s5 (including) |
| Junos | Juniper | 17.3-r3-s6 (including) | 17.3-r3-s6 (including) |
| Junos | Juniper | 17.3-r3-s7 (including) | 17.3-r3-s7 (including) |
| Junos | Juniper | 17.3-r3-s8 (including) | 17.3-r3-s8 (including) |
| Junos | Juniper | 17.3-r3-s9 (including) | 17.3-r3-s9 (including) |
| Junos | Juniper | 17.4 (including) | 17.4 (including) |
| Junos | Juniper | 17.4-r1 (including) | 17.4-r1 (including) |
| Junos | Juniper | 17.4-r1-s1 (including) | 17.4-r1-s1 (including) |
| Junos | Juniper | 17.4-r1-s2 (including) | 17.4-r1-s2 (including) |
| Junos | Juniper | 17.4-r1-s3 (including) | 17.4-r1-s3 (including) |
| Junos | Juniper | 17.4-r1-s4 (including) | 17.4-r1-s4 (including) |
| Junos | Juniper | 17.4-r1-s5 (including) | 17.4-r1-s5 (including) |
| Junos | Juniper | 17.4-r1-s6 (including) | 17.4-r1-s6 (including) |
| Junos | Juniper | 17.4-r1-s7 (including) | 17.4-r1-s7 (including) |
| Junos | Juniper | 17.4-r2 (including) | 17.4-r2 (including) |
| Junos | Juniper | 17.4-r2-s1 (including) | 17.4-r2-s1 (including) |
| Junos | Juniper | 17.4-r2-s10 (including) | 17.4-r2-s10 (including) |
| Junos | Juniper | 17.4-r2-s11 (including) | 17.4-r2-s11 (including) |
| Junos | Juniper | 17.4-r2-s12 (including) | 17.4-r2-s12 (including) |
| Junos | Juniper | 17.4-r2-s2 (including) | 17.4-r2-s2 (including) |
| Junos | Juniper | 17.4-r2-s3 (including) | 17.4-r2-s3 (including) |
| Junos | Juniper | 17.4-r2-s4 (including) | 17.4-r2-s4 (including) |
| Junos | Juniper | 17.4-r2-s5 (including) | 17.4-r2-s5 (including) |
| Junos | Juniper | 17.4-r2-s6 (including) | 17.4-r2-s6 (including) |
| Junos | Juniper | 17.4-r2-s7 (including) | 17.4-r2-s7 (including) |
| Junos | Juniper | 17.4-r2-s8 (including) | 17.4-r2-s8 (including) |
| Junos | Juniper | 17.4-r2-s9 (including) | 17.4-r2-s9 (including) |
| Junos | Juniper | 17.4-r3 (including) | 17.4-r3 (including) |
| Junos | Juniper | 17.4-r3-s1 (including) | 17.4-r3-s1 (including) |
| Junos | Juniper | 17.4-r3-s2 (including) | 17.4-r3-s2 (including) |
| Junos | Juniper | 17.4-r3-s3 (including) | 17.4-r3-s3 (including) |
| Junos | Juniper | 18.1 (including) | 18.1 (including) |
| Junos | Juniper | 18.1-r1 (including) | 18.1-r1 (including) |
| Junos | Juniper | 18.1-r2 (including) | 18.1-r2 (including) |
| Junos | Juniper | 18.1-r2-s1 (including) | 18.1-r2-s1 (including) |
| Junos | Juniper | 18.1-r2-s2 (including) | 18.1-r2-s2 (including) |
| Junos | Juniper | 18.1-r2-s4 (including) | 18.1-r2-s4 (including) |
| Junos | Juniper | 18.1-r3 (including) | 18.1-r3 (including) |
| Junos | Juniper | 18.1-r3-s1 (including) | 18.1-r3-s1 (including) |
| Junos | Juniper | 18.1-r3-s10 (including) | 18.1-r3-s10 (including) |
| Junos | Juniper | 18.1-r3-s11 (including) | 18.1-r3-s11 (including) |
| Junos | Juniper | 18.1-r3-s2 (including) | 18.1-r3-s2 (including) |
| Junos | Juniper | 18.1-r3-s3 (including) | 18.1-r3-s3 (including) |
| Junos | Juniper | 18.1-r3-s4 (including) | 18.1-r3-s4 (including) |
| Junos | Juniper | 18.1-r3-s5 (including) | 18.1-r3-s5 (including) |
| Junos | Juniper | 18.1-r3-s6 (including) | 18.1-r3-s6 (including) |
| Junos | Juniper | 18.1-r3-s7 (including) | 18.1-r3-s7 (including) |
| Junos | Juniper | 18.1-r3-s8 (including) | 18.1-r3-s8 (including) |
| Junos | Juniper | 18.1-r3-s9 (including) | 18.1-r3-s9 (including) |
| Junos | Juniper | 18.2 (including) | 18.2 (including) |
| Junos | Juniper | 18.2-r1 (including) | 18.2-r1 (including) |
| Junos | Juniper | 18.2-r1-s2 (including) | 18.2-r1-s2 (including) |
| Junos | Juniper | 18.2-r1-s3 (including) | 18.2-r1-s3 (including) |
| Junos | Juniper | 18.2-r1-s4 (including) | 18.2-r1-s4 (including) |
| Junos | Juniper | 18.2-r1-s5 (including) | 18.2-r1-s5 (including) |
| Junos | Juniper | 18.2-r2 (including) | 18.2-r2 (including) |
| Junos | Juniper | 18.2-r2-s1 (including) | 18.2-r2-s1 (including) |
| Junos | Juniper | 18.2-r2-s2 (including) | 18.2-r2-s2 (including) |
| Junos | Juniper | 18.2-r2-s3 (including) | 18.2-r2-s3 (including) |
| Junos | Juniper | 18.2-r2-s4 (including) | 18.2-r2-s4 (including) |
| Junos | Juniper | 18.2-r2-s5 (including) | 18.2-r2-s5 (including) |
| Junos | Juniper | 18.2-r2-s6 (including) | 18.2-r2-s6 (including) |
| Junos | Juniper | 18.2-r2-s7 (including) | 18.2-r2-s7 (including) |
| Junos | Juniper | 18.2-r3 (including) | 18.2-r3 (including) |
| Junos | Juniper | 18.2-r3-s1 (including) | 18.2-r3-s1 (including) |
| Junos | Juniper | 18.2-r3-s2 (including) | 18.2-r3-s2 (including) |
| Junos | Juniper | 18.2-r3-s3 (including) | 18.2-r3-s3 (including) |
| Junos | Juniper | 18.2-r3-s4 (including) | 18.2-r3-s4 (including) |
| Junos | Juniper | 18.2-r3-s5 (including) | 18.2-r3-s5 (including) |
| Junos | Juniper | 18.2-r3-s6 (including) | 18.2-r3-s6 (including) |
| Junos | Juniper | 18.3 (including) | 18.3 (including) |
| Junos | Juniper | 18.3-r1 (including) | 18.3-r1 (including) |
| Junos | Juniper | 18.3-r1-s1 (including) | 18.3-r1-s1 (including) |
| Junos | Juniper | 18.3-r1-s2 (including) | 18.3-r1-s2 (including) |
| Junos | Juniper | 18.3-r1-s3 (including) | 18.3-r1-s3 (including) |
| Junos | Juniper | 18.3-r1-s4 (including) | 18.3-r1-s4 (including) |
| Junos | Juniper | 18.3-r1-s5 (including) | 18.3-r1-s5 (including) |
| Junos | Juniper | 18.3-r1-s6 (including) | 18.3-r1-s6 (including) |
| Junos | Juniper | 18.3-r2 (including) | 18.3-r2 (including) |
| Junos | Juniper | 18.3-r2-s1 (including) | 18.3-r2-s1 (including) |
| Junos | Juniper | 18.3-r2-s2 (including) | 18.3-r2-s2 (including) |
| Junos | Juniper | 18.3-r2-s3 (including) | 18.3-r2-s3 (including) |
| Junos | Juniper | 18.3-r2-s4 (including) | 18.3-r2-s4 (including) |
| Junos | Juniper | 18.3-r3 (including) | 18.3-r3 (including) |
| Junos | Juniper | 18.3-r3-s1 (including) | 18.3-r3-s1 (including) |
| Junos | Juniper | 18.3-r3-s2 (including) | 18.3-r3-s2 (including) |
| Junos | Juniper | 18.3-r3-s3 (including) | 18.3-r3-s3 (including) |
| Junos | Juniper | 18.4 (including) | 18.4 (including) |
| Junos | Juniper | 18.4-r1 (including) | 18.4-r1 (including) |
| Junos | Juniper | 18.4-r1-s1 (including) | 18.4-r1-s1 (including) |
| Junos | Juniper | 18.4-r1-s2 (including) | 18.4-r1-s2 (including) |
| Junos | Juniper | 18.4-r1-s3 (including) | 18.4-r1-s3 (including) |
| Junos | Juniper | 18.4-r1-s4 (including) | 18.4-r1-s4 (including) |
| Junos | Juniper | 18.4-r1-s5 (including) | 18.4-r1-s5 (including) |
| Junos | Juniper | 18.4-r1-s6 (including) | 18.4-r1-s6 (including) |
| Junos | Juniper | 18.4-r1-s7 (including) | 18.4-r1-s7 (including) |
| Junos | Juniper | 18.4-r2 (including) | 18.4-r2 (including) |
| Junos | Juniper | 18.4-r2-s1 (including) | 18.4-r2-s1 (including) |
| Junos | Juniper | 18.4-r2-s2 (including) | 18.4-r2-s2 (including) |
| Junos | Juniper | 18.4-r2-s3 (including) | 18.4-r2-s3 (including) |
| Junos | Juniper | 18.4-r2-s4 (including) | 18.4-r2-s4 (including) |
| Junos | Juniper | 18.4-r2-s5 (including) | 18.4-r2-s5 (including) |
| Junos | Juniper | 18.4-r2-s6 (including) | 18.4-r2-s6 (including) |
| Junos | Juniper | 18.4-r3 (including) | 18.4-r3 (including) |
| Junos | Juniper | 18.4-r3-s1 (including) | 18.4-r3-s1 (including) |
| Junos | Juniper | 18.4-r3-s2 (including) | 18.4-r3-s2 (including) |
| Junos | Juniper | 18.4-r3-s3 (including) | 18.4-r3-s3 (including) |
| Junos | Juniper | 18.4-r3-s4 (including) | 18.4-r3-s4 (including) |
| Junos | Juniper | 18.4-r3-s5 (including) | 18.4-r3-s5 (including) |
| Junos | Juniper | 18.4-r3-s6 (including) | 18.4-r3-s6 (including) |
| Junos | Juniper | 19.1 (including) | 19.1 (including) |
| Junos | Juniper | 19.1-r1 (including) | 19.1-r1 (including) |
| Junos | Juniper | 19.1-r1-s1 (including) | 19.1-r1-s1 (including) |
| Junos | Juniper | 19.1-r1-s2 (including) | 19.1-r1-s2 (including) |
| Junos | Juniper | 19.1-r1-s3 (including) | 19.1-r1-s3 (including) |
| Junos | Juniper | 19.1-r1-s4 (including) | 19.1-r1-s4 (including) |
| Junos | Juniper | 19.1-r1-s5 (including) | 19.1-r1-s5 (including) |
| Junos | Juniper | 19.1-r2 (including) | 19.1-r2 (including) |
| Junos | Juniper | 19.1-r2-s1 (including) | 19.1-r2-s1 (including) |
| Junos | Juniper | 19.1-r3 (including) | 19.1-r3 (including) |
| Junos | Juniper | 19.1-r3-s1 (including) | 19.1-r3-s1 (including) |
| Junos | Juniper | 19.1-r3-s2 (including) | 19.1-r3-s2 (including) |
| Junos | Juniper | 19.1-r3-s3 (including) | 19.1-r3-s3 (including) |
| Junos | Juniper | 19.2 (including) | 19.2 (including) |
| Junos | Juniper | 19.2-r1 (including) | 19.2-r1 (including) |
| Junos | Juniper | 19.2-r1-s1 (including) | 19.2-r1-s1 (including) |
| Junos | Juniper | 19.2-r1-s2 (including) | 19.2-r1-s2 (including) |
| Junos | Juniper | 19.2-r1-s3 (including) | 19.2-r1-s3 (including) |
| Junos | Juniper | 19.2-r1-s4 (including) | 19.2-r1-s4 (including) |
| Junos | Juniper | 19.2-r1-s5 (including) | 19.2-r1-s5 (including) |
| Junos | Juniper | 19.2-r2 (including) | 19.2-r2 (including) |
| Junos | Juniper | 19.2-r2-s1 (including) | 19.2-r2-s1 (including) |
| Junos | Juniper | 19.2-r3 (including) | 19.2-r3 (including) |
| Junos | Juniper | 19.2-r3-s1 (including) | 19.2-r3-s1 (including) |
| Junos | Juniper | 19.3 (including) | 19.3 (including) |
| Junos | Juniper | 19.3-r1 (including) | 19.3-r1 (including) |
| Junos | Juniper | 19.3-r1-s1 (including) | 19.3-r1-s1 (including) |
| Junos | Juniper | 19.3-r2 (including) | 19.3-r2 (including) |
| Junos | Juniper | 19.3-r2-s1 (including) | 19.3-r2-s1 (including) |
| Junos | Juniper | 19.3-r2-s2 (including) | 19.3-r2-s2 (including) |
| Junos | Juniper | 19.3-r2-s3 (including) | 19.3-r2-s3 (including) |
| Junos | Juniper | 19.3-r2-s4 (including) | 19.3-r2-s4 (including) |
| Junos | Juniper | 19.3-r2-s5 (including) | 19.3-r2-s5 (including) |
| Junos | Juniper | 19.3-r3 (including) | 19.3-r3 (including) |
| Junos | Juniper | 19.4-r1 (including) | 19.4-r1 (including) |
| Junos | Juniper | 19.4-r1-s1 (including) | 19.4-r1-s1 (including) |
| Junos | Juniper | 19.4-r1-s2 (including) | 19.4-r1-s2 (including) |
| Junos | Juniper | 19.4-r2 (including) | 19.4-r2 (including) |
| Junos | Juniper | 19.4-r2-s1 (including) | 19.4-r2-s1 (including) |
| Junos | Juniper | 19.4-r2-s2 (including) | 19.4-r2-s2 (including) |
| Junos | Juniper | 19.4-r3 (including) | 19.4-r3 (including) |
| Junos | Juniper | 20.1-r1 (including) | 20.1-r1 (including) |
| Junos | Juniper | 20.1-r1-s1 (including) | 20.1-r1-s1 (including) |
| Junos | Juniper | 20.1-r1-s2 (including) | 20.1-r1-s2 (including) |
| Junos | Juniper | 20.1-r1-s3 (including) | 20.1-r1-s3 (including) |
| Junos | Juniper | 20.1-r1-s4 (including) | 20.1-r1-s4 (including) |
| Junos | Juniper | 20.2-r1 (including) | 20.2-r1 (including) |
| Junos | Juniper | 20.2-r1-s1 (including) | 20.2-r1-s1 (including) |
| Junos | Juniper | 20.2-r1-s2 (including) | 20.2-r1-s2 (including) |
| Junos | Juniper | 20.2-r1-s3 (including) | 20.2-r1-s3 (including) |
| Junos | Juniper | 20.2-r2 (including) | 20.2-r2 (including) |
| Junos | Juniper | 20.3-r1 (including) | 20.3-r1 (including) |
Code frequently has to work with limited resources, so programmers must be careful to ensure that resources are not consumed too quickly, or too easily. Without use of quotas, resource limits, or other protection mechanisms, it can be easy for an attacker to consume many resources by rapidly making many requests, or causing larger resources to be used than is needed. When too many resources are allocated, or if a single resource is too large, then it can prevent the code from working correctly, possibly leading to a denial of service.
Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation of resource exhaustion attacks requires that the target system either:
The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.
The second solution can be difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply requires more resources on the part of the attacker.
If the program must fail, ensure that it fails gracefully (fails closed). There may be a temptation to simply let the program fail poorly in cases such as low memory conditions, but an attacker may be able to assert control before the software has fully exited. Alternately, an uncontrolled failure could cause cascading problems with other downstream components; for example, the program could send a signal to a downstream process so the process immediately knows that a problem has occurred and has a better chance of recovery.
Ensure that all failures in resource allocation place the system into a safe posture.
Use resource-limiting settings provided by the operating system or environment. For example, when managing system resources in POSIX, setrlimit() can be used to set limits for certain types of resources, and getrlimit() can determine how many resources are available. However, these functions are not available on all operating systems.
When the current levels get close to the maximum that is defined for the application (see CWE-770), then limit the allocation of further resources to privileged users; alternately, begin releasing resources for less-privileged users. While this mitigation may protect the system from attack, it will not necessarily stop attackers from adversely impacting other users.
Ensure that the application performs the appropriate error checks and error handling in case resources become unavailable (CWE-703).