Operating System:

[Juniper]

Published:

08 November 2022

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2022.5656 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.5656
Junos OS and Junos OS Evolved: In an SR to LDP interworking scenario, with
       SRMS, when a specific low privileged command is issued on an
                    ABR rpd will crash (CVE-2022-22233)
                              8 November 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS
                   Junos OS Evolved
Publisher:         Juniper Networks
Operating System:  Juniper
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-22233  

Original Bulletin: 
   https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-In-an-SR-to-LDP-interworking-scenario-with-SRMS-when-a-specific-low-privileged-command-is-issued-on-an-ABR-rpd-will-crash-CVE-2022-22233

Comment: CVSS (Max):  5.5 CVE-2022-22233 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Article ID:       JSA69887

Product Affected: This issue affects Junos OS 21.4, 22.1. This issue affects 
Junos OS Evolved 21.4-EVO, 22.1-EVO.

Severity Level:   Medium

CVSS Score:       5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Problem:

An Unchecked Return Value to NULL Pointer Dereference vulnerability in Routing 
Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows 
a locally authenticated attacker with low privileges to cause a Denial of 
Service (DoS).

In Segment Routing (SR) to Label Distribution Protocol (LDP) interworking 
scenario, configured with Segment Routing Mapping Server (SRMS) at any node, 
when an Area Border Router (ABR) leaks the SRMS entries having "S" flag set 
from IS-IS Level 2 to Level 1, an rpd core might be observed when a specific 
low privileged CLI command is issued.

This issue affects:

Juniper Networks Junos OS

    21.4 versions prior to 21.4R1-S2, 21.4R2-S1, 21.4R3;
    22.1 versions prior to 22.1R2.

Juniper Networks Junos OS Evolved

    21.4-EVO versions prior to 21.4R1-S2-EVO, 21.4R2-S1-EVO, 21.4R3-EVO;
    22.1-EVO versions prior to 22.1R2-EVO.

This issue does not affect:

Juniper Networks Junos OS versions prior to 21.4R1.

Juniper Networks Junos OS Evolved versions prior to 21.4R1.

To be affected by the issue the device needs to be configured with ISIS L2 and 
L1 (neither disabled) and Segment Routing:

[protocols isis interface <interface>]
[protocols isis source-packet-routing]

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2022-22233.

Solution:

The following software releases have been updated to resolve this specific 
issue:

Junos OS: 21.4R1-S2, 21.4R2-S1, 21.4R3, 22.1R2, 22.2R1 and all subsequent 
releases.

Junos OS Evolved: 21.4R1-S2-EVO, 21.4R2-S1-EVO, 21.4R3-EVO, 22.1R2-EVO, 
22.2R1-EVO and all subsequent releases.

This issue is being tracked as PR 1662559 which is visible on the Customer 
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of 
Engineering (EOE) or End of Life (EOL).
IMPLEMENTATION:

Software Releases, patches and updates are available at 
https://support.juniper.net/support/downloads/.

Workaround:

There are no known workarounds for this issue.

To reduce the risk of exploitation of this issue, use access lists or firewall 
filters to limit access to only trusted networks, hosts and users.

Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common 
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Modification History:
2022-10-12: Initial Publication.
Related Information:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process
    KB16765: In which releases are vulnerabilities fixed?
    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories
    Report a Security Vulnerability - How to Contact the Juniper Networks 
Security Incident Response Team
    CVE-2022-22233 at cve.mitre.org

Last Updated: 2022-10-12
Created:      2022-10-12

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY2oAiskNZI30y1K9AQgLTBAAt/gwYhHE54tA+dqTaELq4tlJH4iTYHSC
4ohai7V041IqNHHnpgbo0uPc2uwk2jxvZsbXxiG6nkjcJleuI317H9BFJcen7vGL
6txvzziBTDvqTrQJVL/h+yHnr20eWLxJ8QM1xNU9tWHtWYGyUxeVOJJ9AB2RJPWG
1XHt49AX9lwxUukYD/koth2mhuTKgYBZ07/r6YwgS6rinIFb8TALj3iSVBGWcH9A
dpGQxsFQlQ/EdtF+Ni2EGzdVoWQ1GSvl1w5G8E8k7n6AUhGduBlI8sUpAD7eP9Dm
rCHGDzHRU544XXCdhynNPUCNW2pdhwBY8uNka4szbUbwZasar6frqnqZOAT68I4U
iXPWyxbvwDrr4ivCQg35jua7mhvcdfKpc3yQ0OGC8he8r2qwyg0+mXznovzU4P4p
WNm5IEzyjXB8nzzg29S6YwZzxlJRxZUY4gUYwfrPB8cFJHnUi5hn1vzg2HZEBtdm
cpzDvy/aSWl3bGr6Hh8Ws8EcaPD3xkrlEg0zwX2hmjEVPoPyT0G5skr+PsVEFUoX
N3f9J2gsBszvf57gAa8VdLOzHA4DPj6ZKrN3yz+i5s3bDKhGaJbPHHLLoCsoCkEz
BIjJuShxQHPrrf5hewli1AYIGVk0Jaoe610/oZ9tr737ei3ESFzcWuGYoz8e3vyc
/TvupdV6j6o=
=RJyS
-----END PGP SIGNATURE-----