Security researchers have discovered an Unchecked Return Value to NULL Pointer Dereference vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS. This vulnerability, tracked as CVE-2022-22231, allows unauthenticated, network-based attackers to cause a Denial of Service (DoS) situation. This issue affects Juniper Networks Junos OS 21.4 versions prior to 21.4R1-S2, 21.4R2 on SRX Series devices. Junos OS versions before 21.4R1 are not affected by this vulnerability.

Vulnerable configuration

The vulnerability is encountered when the SRX Series devices have both Unified Threat Management (UTM) Enhanced Content Filtering (CF) and AntiVirus (AV) enabled. In this configuration, if the system processes specific valid transit traffic, the PFE will crash and restart, causing a DoS situation.

Exploit Details

An attacker can exploit this vulnerability by sending specially crafted packets to a vulnerable device. By continuously sending such packets, the attacker can cause the PFE to repeatedly crash and restart, leading to a persistent DoS condition.

The following is a hypothetical code snippet that demonstrates the vulnerability

#include <stdio.h>
#include "packet.h"

int process_packet(packet_t *pkt) {
    if (!pkt) {
        printf("Error: NULL packet received.\n");
        return -1;
    }

    // Process packet...
    return ;
}

int main() {
    packet_t *pkt = get_next_packet();

    /* The return value of process_packet function is not checked,
     * leading to a NULL Pointer Dereference vulnerability. */
    process_packet(pkt);

    return ;
}

In this example, the main function calls process_packet() without checking if the packet is NULL or not. This oversight can lead to a crash in the PFE when attempting to process a NULL packet.

Original references

1. Juniper Networks Security Advisory: CVE-2022-22231
2. CVE Details: CVE-2022-22231
3. NIST National Vulnerability Database: CVE-2022-22231

Mitigation

Juniper Networks has released a patch for this issue. Users are advised to upgrade to Junos OS 21.4R1-S2 or 21.4R2 to resolve the vulnerability. Additionally, users should assess their configuration to ensure UTM Enhanced Content Filtering and AntiVirus are not unnecessarily enabled together. If both services are required, ensure the updated Junos OS version is in use to prevent exploitation of the vulnerability.

Conclusion

CVE-2022-22231, an Unchecked Return Value to NULL Pointer Dereference vulnerability in Juniper Networks Junos OS, can allow unauthenticated, network-based attackers to cause a DoS situation on SRX Series devices. The vulnerability is exposed when the devices have both UTM Enhanced Content Filtering and AntiVirus enabled. Users are advised to apply the available patch and assess their current configuration to minimize the risk of exploitation.

Timeline

Published on: 10/18/2022 03:15:00 UTC