CVE-2023-22410 | Vulnerability Database | Aqua Security

A Missing Release of Memory after Effective Lifetime vulnerability in the Juniper Networks Junos OS on MX Series platforms with MPC10/MPC11 line cards, allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS). Devices are only vulnerable when the Suspicious Control Flow Detection (scfd) feature is enabled. Upon enabling this specific feature, an attacker sending specific traffic is causing memory to be allocated dynamically and it is not freed. Memory is not freed even after deactivating this feature. Sustained processing of such traffic will eventually lead to an out of memory condition that prevents all services from continuing to function, and requires a manual restart to recover. The FPC memory usage can be monitored using the CLI command show chassis fpc. On running the above command, the memory of AftDdosScfdFlow can be observed to detect the memory leak. This issue affects Juniper Networks Junos OS on MX Series: All versions prior to 20.2R3-S5; 20.3 version 20.3R1 and later versions.

Weakness

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

Affected Software

Name	Vendor	Start Version	End Version
Junos	Juniper	*	20.2 (excluding)
Junos	Juniper	20.2 (including)	20.2 (including)
Junos	Juniper	20.2-r1 (including)	20.2-r1 (including)
Junos	Juniper	20.2-r1-s1 (including)	20.2-r1-s1 (including)
Junos	Juniper	20.2-r1-s2 (including)	20.2-r1-s2 (including)
Junos	Juniper	20.2-r1-s3 (including)	20.2-r1-s3 (including)
Junos	Juniper	20.2-r2 (including)	20.2-r2 (including)
Junos	Juniper	20.2-r2-s1 (including)	20.2-r2-s1 (including)
Junos	Juniper	20.2-r2-s2 (including)	20.2-r2-s2 (including)
Junos	Juniper	20.2-r2-s3 (including)	20.2-r2-s3 (including)
Junos	Juniper	20.2-r3 (including)	20.2-r3 (including)
Junos	Juniper	20.2-r3-s1 (including)	20.2-r3-s1 (including)
Junos	Juniper	20.2-r3-s2 (including)	20.2-r3-s2 (including)
Junos	Juniper	20.2-r3-s3 (including)	20.2-r3-s3 (including)
Junos	Juniper	20.2-r3-s4 (including)	20.2-r3-s4 (including)
Junos	Juniper	20.3 (including)	20.3 (including)
Junos	Juniper	20.3-r1 (including)	20.3-r1 (including)
Junos	Juniper	20.3-r1-s1 (including)	20.3-r1-s1 (including)
Junos	Juniper	20.3-r1-s2 (including)	20.3-r1-s2 (including)
Junos	Juniper	20.3-r2 (including)	20.3-r2 (including)
Junos	Juniper	20.3-r2-s1 (including)	20.3-r2-s1 (including)
Junos	Juniper	20.3-r3 (including)	20.3-r3 (including)
Junos	Juniper	20.3-r3-s1 (including)	20.3-r3-s1 (including)
Junos	Juniper	20.3-r3-s2 (including)	20.3-r3-s2 (including)
Junos	Juniper	20.3-r3-s3 (including)	20.3-r3-s3 (including)
Junos	Juniper	20.3-r3-s4 (including)	20.3-r3-s4 (including)
Junos	Juniper	20.3-r3-s5 (including)	20.3-r3-s5 (including)
Junos	Juniper	20.3-r3-s6 (including)	20.3-r3-s6 (including)

Potential Mitigations

Choose a language or tool that provides automatic memory management, or makes manual memory management less error-prone.
For example, glibc in Linux provides protection against free of invalid pointers.
When using Xcode to target OS X or iOS, enable automatic reference counting (ARC) [REF-391].
To help correctly and consistently manage memory when programming in C++, consider using a smart pointer class such as std::auto_ptr (defined by ISO/IEC ISO/IEC 14882:2003), std::shared_ptr and std::unique_ptr (specified by an upcoming revision of the C++ standard, informally referred to as C++ 1x), or equivalent solutions such as Boost.

References

https://kb.juniper.net/JSA70206

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-22410
CWE	https://cwe.mitre.org/data/definitions/401.html