CVE-2023-22392 | Vulnerability Database | Aqua Security

A Missing Release of Memory after Effective Lifetime vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).

PTX3000, PTX5000, QFX10000, PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs do not support certain flow-routes. Once a flow-route is received over an established BGP session and an attempt is made to install the resulting filter into the PFE, FPC heap memory is leaked. The FPC heap memory can be monitored using the CLI command show chassis fpc.

The following syslog messages can be observed if the respective filter derived from a flow-route cannot be installed.

expr_dfw_sfm_range_add:661 SFM packet-length Unable to get a sfm entry for updating the hw expr_dfw_hw_sfm_add:750 Unable to add the filter secondarymatch to the hardware expr_dfw_base_hw_add:52 Failed to add h/w sfm data. expr_dfw_base_hw_create:114 Failed to add h/w data. expr_dfw_base_pfe_inst_create:241 Failed to create base inst for sfilter 0 on PFE 0 for flowspec_default_inet expr_dfw_flt_inst_change:1368 Failed to create flowspec_default_inet on PFE 0 expr_dfw_hw_pgm_fnum:465 dfw_pfe_inst_old not found for pfe_index 0! expr_dfw_bp_pgm_flt_num:548 Failed to pgm bind-point in hw: generic failure expr_dfw_bp_topo_handler:1102 Failed to program fnum. expr_dfw_entry_process_change:679 Failed to change instance for filter flowspec_default_inet. This issue affects Juniper Networks Junos OS:

on PTX1000, PTX10002, and PTX10004, PTX10008 and PTX10016 with LC110x FPCs:

All versions prior to 20.4R3-S5;
21.1 versions prior to 21.1R3-S4;
21.2 versions prior to 21.2R3-S2;
21.3 versions prior to 21.3R3;
21.4 versions prior to 21.4R2-S2, 21.4R3;
22.1 versions prior to 22.1R1-S2, 22.1R2.

on PTX3000, PTX5000, QFX10000:

All versions prior to 20.4R3-S8;
21.1 version 21.1R1 and later versions;
21.2 versions prior to 21.2R3-S6;
21.3 versions prior to 21.3R3-S5;
21.4 versions prior to 21.4R3-S4;
22.1 versions prior to 22.1R3-S3
22.2 versions prior to 22.2R3-S1
22.3 versions prior to 22.3R2-S2, 22.3R3
22.4 versions prior to 22.4R2.

Weakness

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Affected Software

Name	Vendor	Start Version	End Version
Junos	Juniper	*	20.4 (excluding)
Junos	Juniper	20.4 (including)	20.4 (including)
Junos	Juniper	20.4-r1 (including)	20.4-r1 (including)
Junos	Juniper	20.4-r1-s1 (including)	20.4-r1-s1 (including)
Junos	Juniper	20.4-r2 (including)	20.4-r2 (including)
Junos	Juniper	20.4-r2-s1 (including)	20.4-r2-s1 (including)
Junos	Juniper	20.4-r2-s2 (including)	20.4-r2-s2 (including)
Junos	Juniper	20.4-r3 (including)	20.4-r3 (including)
Junos	Juniper	20.4-r3-s1 (including)	20.4-r3-s1 (including)
Junos	Juniper	20.4-r3-s2 (including)	20.4-r3-s2 (including)
Junos	Juniper	20.4-r3-s3 (including)	20.4-r3-s3 (including)
Junos	Juniper	20.4-r3-s4 (including)	20.4-r3-s4 (including)
Junos	Juniper	21.1 (including)	21.1 (including)
Junos	Juniper	21.1-r1 (including)	21.1-r1 (including)
Junos	Juniper	21.1-r1-s1 (including)	21.1-r1-s1 (including)
Junos	Juniper	21.1-r2 (including)	21.1-r2 (including)
Junos	Juniper	21.1-r2-s1 (including)	21.1-r2-s1 (including)
Junos	Juniper	21.1-r2-s2 (including)	21.1-r2-s2 (including)
Junos	Juniper	21.1-r3 (including)	21.1-r3 (including)
Junos	Juniper	21.1-r3-s1 (including)	21.1-r3-s1 (including)
Junos	Juniper	21.1-r3-s2 (including)	21.1-r3-s2 (including)
Junos	Juniper	21.1-r3-s3 (including)	21.1-r3-s3 (including)
Junos	Juniper	21.2 (including)	21.2 (including)
Junos	Juniper	21.2-r1 (including)	21.2-r1 (including)
Junos	Juniper	21.2-r1-s1 (including)	21.2-r1-s1 (including)
Junos	Juniper	21.2-r1-s2 (including)	21.2-r1-s2 (including)
Junos	Juniper	21.2-r2 (including)	21.2-r2 (including)
Junos	Juniper	21.2-r2-s1 (including)	21.2-r2-s1 (including)
Junos	Juniper	21.2-r2-s2 (including)	21.2-r2-s2 (including)
Junos	Juniper	21.2-r3 (including)	21.2-r3 (including)
Junos	Juniper	21.2-r3-s1 (including)	21.2-r3-s1 (including)
Junos	Juniper	21.3 (including)	21.3 (including)
Junos	Juniper	21.3-r1 (including)	21.3-r1 (including)
Junos	Juniper	21.3-r1-s1 (including)	21.3-r1-s1 (including)
Junos	Juniper	21.3-r1-s2 (including)	21.3-r1-s2 (including)
Junos	Juniper	21.3-r2 (including)	21.3-r2 (including)
Junos	Juniper	21.3-r2-s1 (including)	21.3-r2-s1 (including)
Junos	Juniper	21.3-r2-s2 (including)	21.3-r2-s2 (including)
Junos	Juniper	21.4 (including)	21.4 (including)
Junos	Juniper	21.4-r1 (including)	21.4-r1 (including)
Junos	Juniper	21.4-r1-s1 (including)	21.4-r1-s1 (including)
Junos	Juniper	21.4-r1-s2 (including)	21.4-r1-s2 (including)
Junos	Juniper	21.4-r2 (including)	21.4-r2 (including)
Junos	Juniper	21.4-r2-s1 (including)	21.4-r2-s1 (including)
Junos	Juniper	22.1-r1 (including)	22.1-r1 (including)
Junos	Juniper	22.1-r1-s1 (including)	22.1-r1-s1 (including)

Potential Mitigations

Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
For example, glibc in Linux provides protection against free of invalid pointers.
When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.

References

https://supportportal.juniper.net/JSA73530

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-22392
CWE	https://cwe.mitre.org/data/definitions/401.html