csaf_ncscnl - ncsc-2025-0006

Vulnerability from csaf_ncscnl

Published

2025-01-10 12:14

Modified

2025-01-10 12:14

Summary

Kwetsbaarheden verholpen in Juniper JunOS

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

Juniper heeft kwetsbaarheden verholpen in JunS (Specifiek voor JunOS en JunOS Evolved).

Interpretaties

De kwetsbaarheden bevinden zich in de manier waarop Juniper's JunOS en JunOS Evolved omgaan met BGP-pakketten en IPv6-pakketten. De eerste kwetsbaarheid kan worden misbruikt door ongeauthenticeerde aanvallers die vervormde BGP-pakketten verzenden, wat kan leiden tot een crash van de routing protocol daemon (rpd). Dit vereist een gevestigde BGP-sessie, wat het een significante zorg maakt voor de netwerkstabiliteit. De tweede kwetsbaarheid in de Juniper Tunnel Driver laat ongeauthenticeerde aanvallers toe om vervormde IPv6-pakketten te verzenden, wat kan resulteren in geheugenuitputting en daaropvolgende systeemcrashes, met impact op de stabiliteit van de getroffen systemen.

Oplossingen

Juniper heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-401

Missing Release of Memory after Effective Lifetime

CWE-125

Out-of-bounds Read

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Juniper heeft kwetsbaarheden verholpen in JunS (Specifiek voor JunOS en JunOS Evolved).",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden bevinden zich in de manier waarop Juniper\u0027s JunOS en JunOS Evolved omgaan met BGP-pakketten en IPv6-pakketten. De eerste kwetsbaarheid kan worden misbruikt door ongeauthenticeerde aanvallers die vervormde BGP-pakketten verzenden, wat kan leiden tot een crash van de routing protocol daemon (rpd). Dit vereist een gevestigde BGP-sessie, wat het een significante zorg maakt voor de netwerkstabiliteit. De tweede kwetsbaarheid in de Juniper Tunnel Driver laat ongeauthenticeerde aanvallers toe om vervormde IPv6-pakketten te verzenden, wat kan resulteren in geheugenuitputting en daaropvolgende systeemcrashes, met impact op de stabiliteit van de getroffen systemen.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Juniper heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Missing Release of Memory after Effective Lifetime",
        "title": "CWE-401"
      },
      {
        "category": "general",
        "text": "Out-of-bounds Read",
        "title": "CWE-125"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; nvd",
        "url": "https://supportportal.juniper.net/JSA92867"
      },
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; nvd",
        "url": "https://supportportal.juniper.net/JSA92869"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Juniper JunOS",
    "tracking": {
      "current_release_date": "2025-01-10T12:14:00.841636Z",
      "id": "NCSC-2025-0006",
      "initial_release_date": "2025-01-10T12:14:00.841636Z",
      "revision_history": [
        {
          "date": "2025-01-10T12:14:00.841636Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "junos_os",
            "product": {
              "name": "junos_os",
              "product_id": "CSAFPID-1709686",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:juniper_networks:junos_os:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "junos_os_evolved",
            "product": {
              "name": "junos_os_evolved",
              "product_id": "CSAFPID-1718382",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:juniper_networks:junos_os_evolved:*:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "juniper_networks"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "junos",
            "product": {
              "name": "junos",
              "product_id": "CSAFPID-261205",
              "product_identification_helper": {
                "cpe": "cpe:2.3:o:juniper:junos:-:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "junos",
            "product": {
              "name": "junos",
              "product_id": "CSAFPID-1636524",
              "product_identification_helper": {
                "cpe": "cpe:2.3:o:juniper:junos:evolved:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "juniper"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-21598",
      "cwe": {
        "id": "CWE-125",
        "name": "Out-of-bounds Read"
      },
      "notes": [
        {
          "category": "other",
          "text": "Out-of-bounds Read",
          "title": "CWE-125"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-261205",
          "CSAFPID-1636524",
          "CSAFPID-1709686",
          "CSAFPID-1718382"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-21598",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-21598.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-261205",
            "CSAFPID-1636524",
            "CSAFPID-1709686",
            "CSAFPID-1718382"
          ]
        }
      ],
      "title": "CVE-2025-21598"
    },
    {
      "cve": "CVE-2025-21599",
      "cwe": {
        "id": "CWE-401",
        "name": "Missing Release of Memory after Effective Lifetime"
      },
      "notes": [
        {
          "category": "other",
          "text": "Missing Release of Memory after Effective Lifetime",
          "title": "CWE-401"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-261205",
          "CSAFPID-1636524",
          "CSAFPID-1718382"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-21599",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-21599.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-261205",
            "CSAFPID-1636524",
            "CSAFPID-1718382"
          ]
        }
      ],
      "title": "CVE-2025-21599"
    }
  ]
}

cve-2025-21598

Vulnerability from cvelistv5

Published

2025-01-09 18:16

Modified

2025-01-09 20:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Amber

Summary

An Out-of-bounds Read vulnerability in Juniper Networks Junos OS and Junos OS Evolved's routing protocol daemon (rpd) allows an unauthenticated, network-based attacker to send malformed BGP packets to a device configured with packet receive trace options enabled to crash rpd. This issue affects: Junos OS: * from 21.2R3-S8 before 21.2R3-S9, * from 21.4R3-S7 before 21.4R3-S9, * from 22.2R3-S4 before 22.2R3-S5, * from 22.3R3-S2 before 22.3R3-S4, * from 22.4R3 before 22.4R3-S5, * from 23.2R2 before 23.2R2-S2, * from 23.4R1 before 23.4R2-S1, * from 24.2R1 before 24.2R1-S1, 24.2R2. Junos OS Evolved: * from 21.4R3-S7-EVO before 21.4R3-S9-EVO, * from 22.2R3-S4-EVO before 22.2R3-S5-EVO, * from 22.3R3-S2-EVO before 22.3R3-S4-EVO, * from 22.4R3-EVO before 22.4R3-S5-EVO, * from 23.2R2-EVO before 23.2R2-S2-EVO, * from 23.4R1-EVO before 23.4R2-S1-EVO, * from 24.2R1-EVO before 24.2R1-S2-EVO, 24.2R2-EVO. This issue requires a BGP session to be established. This issue can propagate and multiply through multiple ASes until reaching vulnerable devices. This issue affects iBGP and eBGP. This issue affects IPv4 and IPv6. An indicator of compromise may be the presence of malformed update messages in a neighboring AS which is unaffected by this issue: For example, by issuing the command on the neighboring device: show log messages Reviewing for similar messages from devices within proximity to each other may indicate this malformed packet is propagating: rpd[<pid>]: Received malformed update from <IP address> (External AS <AS#>) and rpd[<pid>]: Malformed Attribute

References

▼	URL	Tags
	https://supportportal.juniper.net/JSA92867	vendor-advisory
	https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/traceoptions-edit-protocols-bgp.html	related

Impacted products

Vendor

Product

Version

▼

Juniper Networks

Junos OS

Version: 21.2R3-S8   ≤
Version: 21.4R3-S7   ≤
Version: 22.2R3-S4   ≤
Version: 22.3R3-S2   ≤
Version: 22.4R3   ≤
Version: 23.2R2   ≤
Version: 23.4R1   ≤
Version: 24.2R1   ≤

Juniper Networks

Junos OS Evolved

Version: 21.4R3-S7-EVO
Version: 22.2R3-S4-EVO   ≤
Version: 22.3R3-S2-EVO   ≤
Version: 22.4R3-EVO   ≤
Version: 23.2R2-EVO   ≤
Version: 23.4R1-EVO   ≤
Version: 24.2R1-EVO   ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-21598",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T20:14:41.822272Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T20:15:00.238Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "BGP Traceoptions",
            "BGP",
            "RPD"
          ],
          "packageName": "RPD",
          "product": "Junos OS",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "21.2R3-S9",
              "status": "affected",
              "version": "21.2R3-S8",
              "versionType": "semver"
            },
            {
              "lessThan": "21.4R3-S9",
              "status": "affected",
              "version": "21.4R3-S7",
              "versionType": "semver"
            },
            {
              "lessThan": "22.2R3-S5",
              "status": "affected",
              "version": "22.2R3-S4",
              "versionType": "semver"
            },
            {
              "lessThan": "22.3R3-S4",
              "status": "affected",
              "version": "22.3R3-S2",
              "versionType": "semver"
            },
            {
              "lessThan": "22.4R3-S5",
              "status": "affected",
              "version": "22.4R3",
              "versionType": "semver"
            },
            {
              "lessThan": "23.2R2-S2",
              "status": "affected",
              "version": "23.2R2",
              "versionType": "semver"
            },
            {
              "lessThan": "23.4R2-S1",
              "status": "affected",
              "version": "23.4R1",
              "versionType": "semver"
            },
            {
              "lessThan": "24.2R1-S1, 24.2R2",
              "status": "affected",
              "version": "24.2R1",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Junos OS Evolved",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "21.4R3-S9-EVO",
              "status": "affected",
              "version": "21.4R3-S7-EVO",
              "versionType": "se"
            },
            {
              "lessThan": "22.2R3-S5-EVO",
              "status": "affected",
              "version": "22.2R3-S4-EVO",
              "versionType": "semver"
            },
            {
              "lessThan": "22.3R3-S4-EVO",
              "status": "affected",
              "version": "22.3R3-S2-EVO",
              "versionType": "semver"
            },
            {
              "lessThan": "22.4R3-S5-EVO",
              "status": "affected",
              "version": "22.4R3-EVO",
              "versionType": "semver"
            },
            {
              "lessThan": "23.2R2-S2-EVO",
              "status": "affected",
              "version": "23.2R2-EVO",
              "versionType": "semver"
            },
            {
              "lessThan": "23.4R2-S1-EVO",
              "status": "affected",
              "version": "23.4R1-EVO",
              "versionType": "semver"
            },
            {
              "lessThan": "24.2R1-S2-EVO, 24.2R2-EVO",
              "status": "affected",
              "version": "24.2R1-EVO",
              "versionType": "semver"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "This issue can occur when bgp trace options are enabled at global, group, or neighbor-level.\u003cbr\u003e\u003cbr\u003eThe following global example is provided:\u003cbr\u003e\u0026nbsp; [protocols bgp traceoptions flag update detail]\u003cbr\u003eor\u003cbr\u003e\u0026nbsp; [protocols bgp traceoptions flag receive detail]\u003cbr\u003eand\u003cbr\u003e\u0026nbsp; [protocols bgp traceoptions flag update detail]\u003cbr\u003e\u0026nbsp; [protocols bgp traceoptions flag receive detail]\u003cbr\u003e\u003cbr\u003eThe following neighbor-level example is provided:\u003cbr\u003e\u0026nbsp; [protocols bgp group test neighbor 192.168.1.1 traceoptions flag update detail]\u003cbr\u003e\u0026nbsp; [protocols bgp group test neighbor 192.168.1.1 traceoptions flag receive detail]\u003cbr\u003e\u003cbr\u003eRefer to your product documentation for other examples and configurations."
            }
          ],
          "value": "This issue can occur when bgp trace options are enabled at global, group, or neighbor-level.\n\nThe following global example is provided:\n\u00a0 [protocols bgp traceoptions flag update detail]\nor\n\u00a0 [protocols bgp traceoptions flag receive detail]\nand\n\u00a0 [protocols bgp traceoptions flag update detail]\n\u00a0 [protocols bgp traceoptions flag receive detail]\n\nThe following neighbor-level example is provided:\n\u00a0 [protocols bgp group test neighbor 192.168.1.1 traceoptions flag update detail]\n\u00a0 [protocols bgp group test neighbor 192.168.1.1 traceoptions flag receive detail]\n\nRefer to your product documentation for other examples and configurations."
        }
      ],
      "datePublic": "2025-01-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn\u0026nbsp;Out-of-bounds Read vulnerability in Juniper Networks Junos OS and Junos OS Evolved\u0027s routing protocol daemon (rpd) allows an unauthenticated, network-based attacker to send\u0026nbsp;malformed BGP packets to a device configured with packet receive trace options enabled to crash rpd.\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003cp\u003eThis issue affects:\u003c/p\u003e\u003cp\u003eJunos OS:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003efrom 21.2R3-S8 before 21.2R3-S9,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 21.4R3-S7 before 21.4R3-S9,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.2R3-S4 before 22.2R3-S5,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.3R3-S2 before 22.3R3-S4,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4R3 before 22.4R3-S5,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2R2 before 23.2R2-S2,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4R1 before 23.4R2-S1,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2R1 before 24.2R1-S1, 24.2R2.\u003c/li\u003e\u003c/ul\u003eJunos OS Evolved:\u003cbr\u003e\u003cul\u003e\u003cli\u003efrom 21.4R3-S7-EVO before 21.4R3-S9-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.2R3-S4-EVO before 22.2R3-S5-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.3R3-S2-EVO before 22.3R3-S4-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 22.4R3-EVO before 22.4R3-S5-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2R2-EVO before 23.2R2-S2-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4R1-EVO before 23.4R2-S1-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2R1-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\u003c/li\u003e\u003c/ul\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThis issue requires a BGP session to be established.\u003cbr\u003e\u003cbr\u003eThis issue can propagate and multiply through multiple ASes until reaching vulnerable devices.\u003cbr\u003e\u003cbr\u003eThis issue affects iBGP and eBGP.\u003cbr\u003e\u003cbr\u003eThis issue affects IPv4 and IPv6.\u003cbr\u003e\u003c/span\u003e\u003c/span\u003e\u003cspan style=\"background-color: var(--wht);\"\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003eAn indicator of compromise may be the presence of malformed update messages in a neighboring AS which is unaffected by this issue:\u003cbr\u003e\u003cbr\u003eFor example, by issuing the command on the neighboring device:\u003cbr\u003e\u0026nbsp;show log messages\u003cbr\u003e\u003cbr\u003eReviewing for similar messages from devices within proximity to each other may indicate this malformed packet is propagating:\u003cbr\u003e\u0026nbsp; rpd[\u0026lt;pid\u0026gt;]: Received malformed update from \u0026lt;IP address\u0026gt; (External AS \u0026lt;AS#\u0026gt;)\u003cbr\u003eand\u003cbr\u003e\u0026nbsp; rpd[\u0026lt;pid\u0026gt;]: Malformed Attribute\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "An\u00a0Out-of-bounds Read vulnerability in Juniper Networks Junos OS and Junos OS Evolved\u0027s routing protocol daemon (rpd) allows an unauthenticated, network-based attacker to send\u00a0malformed BGP packets to a device configured with packet receive trace options enabled to crash rpd.\nThis issue affects:\n\nJunos OS:\u00a0\n\n\n\n  *  from 21.2R3-S8 before 21.2R3-S9,\u00a0\n  *  from 21.4R3-S7 before 21.4R3-S9,\u00a0\n  *  from 22.2R3-S4 before 22.2R3-S5,\u00a0\n  *  from 22.3R3-S2 before 22.3R3-S4,\u00a0\n  *  from 22.4R3 before 22.4R3-S5,\u00a0\n  *  from 23.2R2 before 23.2R2-S2,\u00a0\n  *  from 23.4R1 before 23.4R2-S1,\u00a0\n  *  from 24.2R1 before 24.2R1-S1, 24.2R2.\n\n\nJunos OS Evolved:\n  *  from 21.4R3-S7-EVO before 21.4R3-S9-EVO,\u00a0\n  *  from 22.2R3-S4-EVO before 22.2R3-S5-EVO,\u00a0\n  *  from 22.3R3-S2-EVO before 22.3R3-S4-EVO,\u00a0\n  *  from 22.4R3-EVO before 22.4R3-S5-EVO,\u00a0\n  *  from 23.2R2-EVO before 23.2R2-S2-EVO,\u00a0\n  *  from 23.4R1-EVO before 23.4R2-S1-EVO,\u00a0\n  *  from 24.2R1-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\n\n\nThis issue requires a BGP session to be established.\n\nThis issue can propagate and multiply through multiple ASes until reaching vulnerable devices.\n\nThis issue affects iBGP and eBGP.\n\nThis issue affects IPv4 and IPv6.\n\nAn indicator of compromise may be the presence of malformed update messages in a neighboring AS which is unaffected by this issue:\n\nFor example, by issuing the command on the neighboring device:\n\u00a0show log messages\n\nReviewing for similar messages from devices within proximity to each other may indicate this malformed packet is propagating:\n\u00a0 rpd[\u003cpid\u003e]: Received malformed update from \u003cIP address\u003e (External AS \u003cAS#\u003e)\nand\n\u00a0 rpd[\u003cpid\u003e]: Malformed Attribute"
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
            }
          ],
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "AUTOMATIC",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/AU:Y/R:A/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "description": "Denial of Service (DoS)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T18:16:32.549Z",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://supportportal.juniper.net/JSA92867"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/traceoptions-edit-protocols-bgp.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The following software releases have been updated to resolve this specific issue:\u003cbr\u003e\u003cbr\u003eJunos OS: 21.2R3-S9, 21.4R3-S9, 22.2R3-S5, 22.3R3-S4, 22.4R3-S5, 23.2R2-S2, 23.4R2-S1, 24.2R1-S1, 24.2R2, 24.4R1, and all subsequent releases.\u003cbr\u003e\u003cbr\u003eJunos OS Evolved: 21.4R3-S9-EVO, 22.2R3-S5-EVO, 22.3R3-S4-EVO, 22.4R3-S5-EVO, 23.2R2-S2-EVO, 23.4R2-S1-EVO, 24.2R1-S2-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases.\u003cbr\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "The following software releases have been updated to resolve this specific issue:\n\nJunos OS: 21.2R3-S9, 21.4R3-S9, 22.2R3-S5, 22.3R3-S4, 22.4R3-S5, 23.2R2-S2, 23.4R2-S1, 24.2R1-S1, 24.2R2, 24.4R1, and all subsequent releases.\n\nJunos OS Evolved: 21.4R3-S9-EVO, 22.2R3-S5-EVO, 22.3R3-S4-EVO, 22.4R3-S5-EVO, 23.2R2-S2-EVO, 23.4R2-S1-EVO, 24.2R1-S2-EVO, 24.2R2-EVO, 24.4R1-EVO, and all subsequent releases."
        }
      ],
      "source": {
        "advisory": "JSA92867",
        "defect": [
          "1821241"
        ],
        "discovery": "USER"
      },
      "title": "Junos OS and Junos OS Evolved: When BGP traceoptions are configured, receipt of malformed BGP packets causes RPD to crash",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Disabling packet tracing options will work around this issue.\u003cbr\u003e\u003cbr\u003eThere are no other available workarounds for this issue.\u003cbr\u003e"
            }
          ],
          "value": "Disabling packet tracing options will work around this issue.\n\nThere are no other available workarounds for this issue."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2025-21598",
    "datePublished": "2025-01-09T18:16:32.549Z",
    "dateReserved": "2024-12-26T14:47:11.669Z",
    "dateUpdated": "2025-01-09T20:15:00.238Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2025-21599

Vulnerability from cvelistv5

Published

2025-01-09 16:46

Modified

2025-01-09 19:22

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Summary

A Missing Release of Memory after Effective Lifetime vulnerability in the Juniper Tunnel Driver (jtd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to cause Denial of Service. Receipt of specifically malformed IPv6 packets, destined to the device, causes kernel memory to not be freed, resulting in memory exhaustion leading to a system crash and Denial of Service (DoS). Continuous receipt and processing of these packets will continue to exhaust kernel memory, creating a sustained Denial of Service (DoS) condition. This issue only affects systems configured with IPv6. This issue affects Junos OS Evolved: * from 22.4-EVO before 22.4R3-S5-EVO, * from 23.2-EVO before 23.2R2-S2-EVO, * from 23.4-EVO before 23.4R2-S2-EVO, * from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 22.4R1-EVO.

References

▼	URL	Tags
	https://supportportal.juniper.net/JSA92869	vendor-advisory

Impacted products

Vendor

Product

Version

▼

Juniper Networks

Junos OS Evolved

Version: 22.4-EVO   ≤
Version: 23.2-EVO   ≤
Version: 23.4-EVO   ≤
Version: 24.2-EVO   ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-21599",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T19:10:50.746646Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T19:22:22.119Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Junos OS Evolved",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "22.4R3-S5-EVO",
              "status": "affected",
              "version": "22.4-EVO",
              "versionType": "semver"
            },
            {
              "lessThan": "23.2R2-S2-EVO",
              "status": "affected",
              "version": "23.2-EVO",
              "versionType": "semver"
            },
            {
              "lessThan": "23.4R2-S2-EVO",
              "status": "affected",
              "version": "23.4-EVO",
              "versionType": "semver"
            },
            {
              "lessThan": "24.2R1-S2-EVO, 24.2R2-EVO",
              "status": "affected",
              "version": "24.2-EVO",
              "versionType": "semver"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "To be exposed to this vulnerability a device needs to be configured with a minimal IPv6 configuration like in the following example:\u003cbr\u003e\u003cbr\u003e\u0026nbsp; [ interfaces \u0026lt;interface\u0026gt; unit \u0026lt;unit number\u0026gt; family inet6 ]\u003cbr\u003e"
            }
          ],
          "value": "To be exposed to this vulnerability a device needs to be configured with a minimal IPv6 configuration like in the following example:\n\n\u00a0 [ interfaces \u003cinterface\u003e unit \u003cunit number\u003e family inet6 ]"
        }
      ],
      "datePublic": "2025-01-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMissing Release of Memory after Effective Lifetime vulnerability\u003c/span\u003e in the Juniper Tunnel Driver (jtd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to cause Denial of Service.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eReceipt of specifically malformed IPv6 packets, destined to the device, causes kernel memory to not be freed, resulting in memory exhaustion leading to a system crash and Denial of Service (DoS).\u0026nbsp;Continuous receipt and processing of these packets will continue to exhaust kernel memory, creating a sustained Denial of Service (DoS) condition.\u003cbr\u003e\u003c/span\u003e\u003cp\u003eThis issue only affects systems configured with IPv6.\u003c/p\u003e\u003cp\u003eThis issue affects Junos OS Evolved:\u0026nbsp;\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003efrom 22.4-EVO before 22.4R3-S5-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.2-EVO before 23.2R2-S2-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 23.4-EVO before 23.4R2-S2-EVO,\u0026nbsp;\u003c/li\u003e\u003cli\u003efrom 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003c/p\u003eThis issue does not affect Juniper Networks Junos OS Evolved versions prior to 22.4R1-EVO.\u003cbr\u003e"
            }
          ],
          "value": "A\u00a0Missing Release of Memory after Effective Lifetime vulnerability in the Juniper Tunnel Driver (jtd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to cause Denial of Service.\u00a0\n\nReceipt of specifically malformed IPv6 packets, destined to the device, causes kernel memory to not be freed, resulting in memory exhaustion leading to a system crash and Denial of Service (DoS).\u00a0Continuous receipt and processing of these packets will continue to exhaust kernel memory, creating a sustained Denial of Service (DoS) condition.\nThis issue only affects systems configured with IPv6.\n\nThis issue affects Junos OS Evolved:\u00a0\n\n\n\n  *  from 22.4-EVO before 22.4R3-S5-EVO,\u00a0\n  *  from 23.2-EVO before 23.2R2-S2-EVO,\u00a0\n  *  from 23.4-EVO before 23.4R2-S2-EVO,\u00a0\n  *  from 24.2-EVO before 24.2R1-S2-EVO, 24.2R2-EVO.\n\n\n\n\nThis issue does not affect Juniper Networks Junos OS Evolved versions prior to 22.4R1-EVO."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
            }
          ],
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T16:46:57.412Z",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://supportportal.juniper.net/JSA92869"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The following software releases have been updated to resolve this specific issue: \u003cbr\u003e\u003cbr\u003eJunos OS Evolved: 22.4R3-S5-EVO, 23.2R2-S2-EVO, 23.4R2-S2-EVO, 24.2R1-S2-EVO, 24.2R2-EVO*, 24.4R1-EVO, and all subsequent releases.\u003cbr\u003e\u003cbr\u003e* Future Release\u003cbr\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "The following software releases have been updated to resolve this specific issue: \n\nJunos OS Evolved: 22.4R3-S5-EVO, 23.2R2-S2-EVO, 23.4R2-S2-EVO, 24.2R1-S2-EVO, 24.2R2-EVO*, 24.4R1-EVO, and all subsequent releases.\n\n* Future Release"
        }
      ],
      "source": {
        "advisory": "JSA92869",
        "defect": [
          "1821515"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Junos OS Evolved: Receipt of specifically malformed IPv6 packets causes kernel memory exhaustion leading to Denial of Service",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "There are no known workarounds for this issue."
            }
          ],
          "value": "There are no known workarounds for this issue."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2025-21599",
    "datePublished": "2025-01-09T16:46:57.412Z",
    "dateReserved": "2024-12-26T14:47:11.669Z",
    "dateUpdated": "2025-01-09T19:22:22.119Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_ncscnl

cve-2025-21598

Vulnerability from cvelistv5

cve-2025-21599

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature