Cybersecurity vendor Juniper Networks addressed a critical vulnerability in Junos OS, tracked as CVE-2021-0254, that could allow an attacker to remotely take control or disrupt affected devices.
This issue affects Junos OS 15.1X49, 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3.Juniper SIRT states that it is not aware of any malicious exploitation of this vulnerability.
The flaw was found by Nguyen Hoang Thach, a researcher with Singapore-based cybersecurity organization STAR Labs.
“A buffer size validation vulnerability in the overlayd service of Juniper Networks Junos OS may allow an unauthenticated remote attacker to send specially crafted packets to the device, triggering a partial Denial of Service (DoS) condition, or leading to remote code execution (RCE). Continued receipt and processing of these packets will sustain the partial DoS.”, reads the security advisory published by the company.
The overlayd daemon handles Overlay OAM packets, such as ping and traceroute, sent to the overlay. The service runs as root by default and listens for UDP connections on port 4789.
This issue results from improper buffer size validation, which can lead to a buffer overflow.
The flaw can be exploited by a remote, unauthenticated attacker to execute arbitrary code of a vulnerable device or to trigger a DoS condition. The vulnerability can be exploited by sending specially crafted packets to the targeted system.
An attacker could trigger the flaw to install a backdoor on a vulnerable device or to change its configuration.
Overlayd service runs by default in MX Series, ACX Series, and QFX Series platforms. Other platforms are also vulnerable if a Virtual Extensible LAN (VXLAN) overlay network is configured.
Solution
The following software releases have been updated to resolve this specific issue:
Junos OS 15.1X49-D240, 15.1R7-S9, 17.3R3-S11, 17.4R2-S13, 17.4R3-S4, 18.1R3-S12, 18.2R2-S8, 18.2R3-S7, 18.3R3-S4, 18.4R1-S8, 18.4R2-S7, 18.4R3-S7, 19.1R2-S2, 19.1R3-S4, 19.2R1-S6, 19.2R3-S2, 19.3R3-S1, 19.4R2-S4, 19.4R3-S1, 20.1R2-S1, 20.1R3, 20.2R2, 20.2R2-S1, 20.2R3, 20.3R1-S1, 20.4R1, and all subsequent releases.
Two Methods to Mitigate this issue
- Limit the exploitable attack surface of critical infrastructure networking equipment by using access lists or firewall filters to limit access to the device via UDP only from trusted, administrative networks or hosts.
- Disable Overlay OAM packet via the configuration command: ‘set system processes overlay-ping-traceroute disable’.
Also Read
