-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.0155
   JSA11265 - 2022-01 Security Bulletin: Junos OS: SRX Series: Multiple
              vulnerabilities in traffic classification when
        'no-syn-check' is enabled (CVE-2022-22157, CVE-2022-22167)
                              13 January 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Unauthorised Access -- Remote/Unauthenticated
                   Reduced Security    -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-22167 CVE-2022-22157 

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11265

- --------------------------BEGIN INCLUDED TEXT--------------------

2022-01 Security Bulletin: Junos OS: SRX Series: Multiple vulnerabilities in traffic classification when 'no-syn-check' is enabled (CVE-2022-22157, CVE-2022-22167)

Article ID  : JSA11265
Last Updated: 12 Jan 2022
Version     : 2.0

Product Affected:
These issues affect Junos OS 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3,
20.4, 21.1, 21.2. Affected platforms: SRX Series.
Problem:

Multiple traffic classification vulnerabilities in Juniper Networks Junos OS on
the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep
Packet Inspection (JDPI) rules and access unauthorized networks or resources,
when ' no-syn-check' is enabled on the device. In one case, JDPI incorrectly
classifies out-of-state asymmetric TCP flows as the dynamic-application
INCONCLUSIVE instead of UNKNOWN, which is more permissive. A second issue was
discovered where the dynamic-application classification is not properly
provided to the policy module and hence traffic continues to use the
pre-id-default-policy. In both cases, without the combination of fixes, the
firewall allows traffic to be forwarded that should have been denied. causing
the firewall to allow traffic to be forwarded that should have been denied.

These issues only occur when ' set security flow tcp-session no-syn-check ' is
configured on the device.

One or more of these issues affect Juniper Networks Junos OS on SRX Series:

  o 18.4 versions prior to 18.4R2-S10, 18.4R3-S10;
  o 19.1 versions prior to 19.1R3-S8;
  o 19.2 versions prior to 19.2R1-S8, 19.2R3-S4;
  o 19.3 versions prior to 19.3R3-S3;
  o 19.4 versions prior to 19.4R3-S5;
  o 20.1 versions prior to 20.1R3-S1;
  o 20.2 versions prior to 20.2R3-S2;
  o 20.3 versions prior to 20.3R3-S1;
  o 20.4 versions prior to 20.4R2-S2, 20.4R3;
  o 21.1 versions prior to 21.1R2-S2, 21.1R3;
  o 21.2 versions prior to 21.2R2.

These issues do not affect Juniper Networks Junos OS versions prior to 18.4R1.

These issues will only be seen when the following configuration is present:

[security flow tcp-session no-syn-check]

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

These issues were seen during production usage.

The following issues have been reported and resolved:

     CVE          CVSS                           Summary
                           A traffic classification vulnerability in Juniper
                           Networks Junos OS on the SRX Series Services
                           Gateways may allow an attacker to bypass Juniper
               7.2 (       Deep Packet Inspection (JDPI) rules and access
               CVSS:3.1/   unauthorized networks or resources, when
               AV:N/AC:L/  'no-syn-check' is enabled on the device. JDPI
CVE-2022-22157 PR:N/UI:N/  incorrectly classifies out-of-state asymmetric TCP
               S:C/C:L/I:L flows as the dynamic-application INCONCLUSIVE
               /A:N )      instead of UNKNOWN, which is more permissive,
                           causing the firewall to allow traffic to be
                           forwarded that should have been denied. This issue
                           only occurs when 'set security flow tcp-session
                           no-syn-check' is configured on the device.
                           A traffic classification vulnerability in Juniper
                           Networks Junos OS on the SRX Series Services
                           Gateways may allow an attacker to bypass Juniper
                           Deep Packet Inspection (JDPI) rules and access
               7.2 (       unauthorized networks or resources, when
               CVSS:3.1/   'no-syn-check' is enabled on the device. While JDPI
               AV:N/AC:L/  correctly classifies out-of-state asymmetric TCP
CVE-2022-22167 PR:N/UI:N/  flows as the dynamic-application UNKNOWN, this
               S:C/C:L/I:L classification is not provided to the policy module
               /A:N )      properly and hence traffic continues to use the
                           pre-id-default-policy, which is more permissive,
                           causing the firewall to allow traffic to be
                           forwarded that should have been denied. This issue
                           only occurs when 'set security flow tcp-session
                           no-syn-check' is configured on the device.

Solution:

The following software releases have been updated to resolve both issues: Junos
OS 18.4R2-S10, 18.4R3-S10, 19.1R3-S8, 19.2R1-S8, 19.2R3-S4, 19.3R3-S3,
19.4R3-S5, 20.1R3-S1, 20.2R3-S2, 20.3R3-S1, 20.4R2-S2, 20.4R3, 21.1R2-S2,
21.1R3, 21.2R2, 21.3R1, and all subsequent releases.

Notes:

 1. The original issue was first introduced in Junos OS 18.4R1.
 2. PR 1561533 was resolved in Junos OS 18.4R2-S9, 18.4R3-S9, 19.1R2-S3,
    19.1R3-S6, 19.2R1-S7, 19.2R3-S3, 19.3R2-S6, 19.3R3-S2, 19.4R2-S5,
    19.4R3-S3, 20.1R2-S2, 20.1R3, 20.2R3-S1, 20.3R3, 20.4R2-S1, 20.4R3,
    21.1R1-S1, 21.1R2, 21.2R1
 3. PR 1599053 was resolved in Junos OS 18.4R2-S10, 18.4R3-S10, 19.1R3-S8,
    19.2R1-S8, 19.2R3-S4, 19.3R3-S3, 19.4R3-S5, 20.1R3-S1, 20.2R3-S2,
    20.3R3-S1, 20.4R2-S2, 20.4R3, 21.1R2-S2, 21.1R3, 21.2R2, 21.3R1, 21.4R1

Both PRs are resolved in the releases listed above.

These issues are being tracked as 1561533 and 1599053 .

Workaround:

Either of the following workarounds will mitigate these issues:

 1. Remove ' security flow tcp-session no-syn-check ' from the configuration.
 2. Enable AppID cache configuration:
    set services application-identification application-system-cache
    security-services

Implementation:
Software releases or updates are available for download at https://
support.juniper.net/support/downloads/
Modification History:
2022-01-12: Initial Publication.
CVSS Score:
7.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYd+nkuNLKJtyKPYoAQjhEA//TQT9krFyeOuinfZ0a5t/YGG4Ttkoqlgl
tk8mFCl2IFTDgGZ1xVcQdM/Q84RHLsB+513rpmGGse0qxIaxh+7ipX0m2yPnzjR7
vL0jZOysTwrQL1Iz9fWRA42LLBTLJKVhXMZHwA1WNseS1ki9TcRKXnHpGSCDAFAu
RYmUmHegwNFnxoT9vPer8tR5jgI8e+cArtePdrTT76Ps2UVah9cfG6zbj2uTE56p
vKSTPpokpkU/Gd7znSbWL/usWbnb+dI4T/gcc2ysrfBoS0Dfxq462hr7S6lN0Jrj
t6a05y4wPR/Zugo6vDVAiStsljGm6Eyedvrl6hzPhVnk5Bphqrsxz5gIfgDxQRlP
6Vjv/85evYAvlKNFlGtmbANzEkgQpv6gDNlYlRiUEpNzmLo/PUAltwZsaBlQwMdF
Qc5ONbFZ2dQeiVOZO3sZ5SxGVVUC01ctjFKu3U/xvvvUYwvwhZKX2/lnupNDpthu
+2lJAANI4CH9LCAZw/UBz8q2QlSutolDTKG26kSk9V9FjEsGmT2tKQj+vYu2zxRZ
hROV4LCIvL2b87noVteM+MpNSF6lxBGWyDoOZON22mm5FtTbfuwjFqmz1OzXJs6y
qJmw2qznoZiyJdbHntpx8UKS9jNcnNC8jwyGcMq6gbeh/1kNnLt8k2wYdDfHJwnZ
TxyEIe6kwd4=
=YKws
-----END PGP SIGNATURE-----