A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer.
This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring:
[ protocols bgp ... disable-4byte-as ]
Established BGP sessions can be checked by executing:
show bgp neighbor <IP address> | match "4 byte AS"
This issue affects:
Junos OS:
* all versions before 22.4R3-S8,
* 23.2 versions before 23.2R2-S5,
* 23.4 versions before 23.4R2-S6,
* 24.2 versions before 24.2R2-S2,
* 24.4 versions before 24.4R2;
Junos OS Evolved:
* all versions before 22.4R3-S8-EVO,
* 23.2 versions before 23.2R2-S5-EVO,
* 23.4 versions before 23.4R2-S6-EVO,
* 24.2 versions before 24.2R2-S2-EVO,
* 24.4 versions before 24.4R2-EVO.
A buffer over-read vulnerability in Juniper Junos OS routing protocol daemon (rpd) allows unauthenticated network attackers to cause denial-of-service by sending specially crafted BGP updates with optional transitive attributes. The vulnerability affects multiple Junos versions and can crash the routing daemon, disrupting network connectivity. This is particularly critical for organizations running non-4-byte-AS capable BGP sessions, which are less common but still present in legacy deployments across Saudi infrastructure.
IMMEDIATE ACTIONS:
1. Verify BGP peer configurations: Execute 'show bgp neighbor <IP> | match "4 byte AS"' on all Junos devices to identify non-4-byte-AS capable sessions
2. Implement BGP input filtering to reject malformed optional transitive attributes at peering points
3. Enable BGP session monitoring and alerting for rpd crashes
PATCHING GUIDANCE:
- Junos OS: Upgrade to 22.4R3-S8, 23.2R2-S5, 23.4R2-S6, 24.2R2-S2, or 24.4R2 (or later)
- Junos OS Evolved: Upgrade to corresponding -EVO versions
- Prioritize devices with non-4-byte-AS BGP sessions
- Schedule maintenance windows to minimize routing disruption
COMPENSATING CONTROLS (if immediate patching unavailable):
- Restrict BGP peering to trusted ASNs only
- Implement strict BGP attribute validation at ingress
- Deploy BGP route filtering policies to drop suspicious optional transitive attributes
- Enable rpd restart monitoring with automatic failover to backup routing devices
- Consider disabling optional transitive attribute processing if operationally feasible
DETECTION:
- Monitor syslog for rpd crashes and restarts: 'rpd[*]: PANIC'
- Alert on BGP session flaps from specific peers
- Baseline normal BGP update patterns and flag anomalies
- Implement NetFlow/sFlow monitoring for traffic loss during incidents
الإجراءات الفورية:
1. التحقق من تكوينات نظير BGP: تنفيذ 'show bgp neighbor <IP> | match "4 byte AS"' على جميع أجهزة Junos لتحديد الجلسات غير القادرة على 4 بايت AS
2. تطبيق تصفية مدخلات BGP لرفض السمات الاختيارية المشكوك فيها
3. تفعيل مراقبة التنبيهات لأعطال rpd
إرشادات التصحيح:
- Junos OS: الترقية إلى 22.4R3-S8 أو 23.2R2-S5 أو 23.4R2-S6 أو 24.2R2-S2 أو 24.4R2 أو أحدث
- Junos OS Evolved: الترقية إلى الإصدارات -EVO المقابلة
- إعطاء الأولوية للأجهزة ذات جلسات BGP غير القادرة على 4 بايت AS
- جدولة نوافذ الصيانة لتقليل تعطل التوجيه
الضوابط البديلة:
- تقييد نظير BGP بـ ASNs موثوقة فقط
- تطبيق التحقق الصارم من سمات BGP عند الدخول
- نشر سياسات تصفية مسارات BGP لحذف السمات المريبة
- تفعيل مراقبة إعادة تشغيل rpd مع الفشل التلقائي
- النظر في تعطيل معالجة السمات الاختيارية إن أمكن
الكشف:
- مراقبة السجلات لأعطال rpd: 'rpd[*]: PANIC'
- التنبيه على تقلبات جلسات BGP
- مراقبة أنماط تحديثات BGP الطبيعية
- تطبيق مراقبة NetFlow/sFlow