cvelist/2023/22xxx/CVE-2023-22404.json

{
    "CVE_data_meta": {
        "ASSIGNER": "sirt@juniper.net",
        "DATE_PUBLIC": "2023-01-11T17:00:00.000Z",
        "ID": "CVE-2023-22404",
        "STATE": "PUBLIC",
        "TITLE": "Junos OS: SRX Series and MX Series with SPC3: When IPsec VPN is configured iked will core when a specifically formatted payload is received"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Junos OS",
                                "version": {
                                    "version_data": [
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_value": "19.3R3-S7"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "19.4",
                                            "version_value": "19.4R3-S9"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "20.2",
                                            "version_value": "20.2R3-S5"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "20.3",
                                            "version_value": "20.3R3-S5"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "20.4",
                                            "version_value": "20.4R3-S4"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "21.1",
                                            "version_value": "21.1R3-S3"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "21.2",
                                            "version_value": "21.2R3-S2"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "21.3",
                                            "version_value": "21.3R3-S1"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "21.4",
                                            "version_value": "21.4R2-S1, 21.4R3"
                                        },
                                        {
                                            "platform": "SRX Series MX Series with SPC3",
                                            "version_affected": "<",
                                            "version_name": "22.1",
                                            "version_value": "22.1R1-S2, 22.1R2"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "Juniper Networks"
                }
            ]
        }
    },
    "configuration": [
        {
            "lang": "eng",
            "value": "To be affected by this issue IPsec VPN configuration needs to present similar to the following example:\n\n  [ security ike proposal <ike-proposal> ... ]\n  [ security ike policy <ike-policy> ... ] \n  [ security ike gateway <gateway-name> ... ]\n  [ security ipsec proposal <ipsec-proposal> ... ]\n  [ security ipsec policy <ipsec-policy> ... ]\n  [ security ipsec vpn <vpn-name> ike gateway <gateway-name> ]\n  [ security ipsec vpn <vpn-name> ike ipsec-policy <ipsec-policy> ]\n  [ security ipsec vpn <vpn-name> bind-interface <interface> ]\n\nand the system needs to run iked (vs. kmd which is not affected), which can be verified with:\n\n  show system processes extensive | match \"KMD|IKED\""
        }
    ],
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "An Out-of-bounds Write vulnerability in the Internet Key Exchange Protocol daemon (iked) of Juniper Networks Junos OS on SRX series and MX with SPC3 allows an authenticated, network-based attacker to cause a Denial of Service (DoS). iked will crash and restart, and the tunnel will not come up when a peer sends a specifically formatted payload during the negotiation. This will impact other IKE negotiations happening at the same time. Continued receipt of this specifically formatted payload will lead to continuous crashing of iked and thereby the inability for any IKE negotiations to take place. Note that this payload is only processed after the authentication has successfully completed. So the issue can only be exploited by an attacker who can successfully authenticate. This issue affects Juniper Networks Junos OS on SRX Series, and MX Series with SPC3: All versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S3; 21.2 versions prior to 21.2R3-S2; 21.3 versions prior to 21.3R3-S1; 21.4 versions prior to 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S2, 22.1R2."
            }
        ]
    },
    "exploit": [
        {
            "lang": "eng",
            "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
    ],
    "generator": {
        "engine": "Vulnogram 0.0.9"
    },
    "impact": {
        "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-787 Out-of-bounds Write"
                    }
                ]
            },
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "Denial of Service (DoS)"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://kb.juniper.net/JSA70200",
                "refsource": "CONFIRM",
                "url": "https://kb.juniper.net/JSA70200"
            }
        ]
    },
    "solution": [
        {
            "lang": "eng",
            "value": "The following software releases have been updated to resolve this specific issue: 19.3R3-S7, 19.4R3-S9, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S3, 21.2R3-S2, 21.3R3-S1, 21.4R2-S1, 21.4R3, 22.1R1-S2, 22.1R2, 22.2R1, and all subsequent releases."
        }
    ],
    "source": {
        "advisory": "JSA70200",
        "defect": [
            "1665150"
        ],
        "discovery": "USER"
    },
    "work_around": [
        {
            "lang": "eng",
            "value": "There are no known workarounds for this issue."
        }
    ]
}
"-Synchronized-Data." 2022-12-27 17:00:43 +00:00			`{`
			`"CVE_data_meta": {`
Juniper JSA publication 2023-01. See https://advisory.juniper.net for more information. 2023-01-12 18:38:37 -05:00			`"ASSIGNER": "sirt@juniper.net",`
			`"DATE_PUBLIC": "2023-01-11T17:00:00.000Z",`
"-Synchronized-Data." 2022-12-27 17:00:43 +00:00			`"ID": "CVE-2023-22404",`
Juniper JSA publication 2023-01. See https://advisory.juniper.net for more information. 2023-01-12 18:38:37 -05:00			`"STATE": "PUBLIC",`
			`"TITLE": "Junos OS: SRX Series and MX Series with SPC3: When IPsec VPN is configured iked will core when a specifically formatted payload is received"`
"-Synchronized-Data." 2022-12-27 17:00:43 +00:00			`},`
Juniper JSA publication 2023-01. See https://advisory.juniper.net for more information. 2023-01-12 18:38:37 -05:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Junos OS",`
			`"version": {`
			`"version_data": [`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_value": "19.3R3-S7"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "19.4",`
			`"version_value": "19.4R3-S9"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "20.2",`
			`"version_value": "20.2R3-S5"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "20.3",`
			`"version_value": "20.3R3-S5"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "20.4",`
			`"version_value": "20.4R3-S4"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "21.1",`
			`"version_value": "21.1R3-S3"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "21.2",`
			`"version_value": "21.2R3-S2"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "21.3",`
			`"version_value": "21.3R3-S1"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "21.4",`
			`"version_value": "21.4R2-S1, 21.4R3"`
			`},`
			`{`
			`"platform": "SRX Series MX Series with SPC3",`
			`"version_affected": "<",`
			`"version_name": "22.1",`
			`"version_value": "22.1R1-S2, 22.1R2"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "Juniper Networks"`
			`}`
			`]`
			`}`
			`},`
			`"configuration": [`
			`{`
			`"lang": "eng",`
			"value": "To be affected by this issue IPsec VPN configuration needs to present similar to the following example:\n\n [ security ike proposal <ike-proposal> ... ]\n [ security ike policy <ike-policy> ... ] \n [ security ike gateway <gateway-name> ... ]\n [ security ipsec proposal <ipsec-proposal> ... ]\n [ security ipsec policy <ipsec-policy> ... ]\n [ security ipsec vpn <vpn-name> ike gateway <gateway-name> ]\n [ security ipsec vpn <vpn-name> ike ipsec-policy <ipsec-policy> ]\n [ security ipsec vpn <vpn-name> bind-interface <interface> ]\n\nand the system needs to run iked (vs. kmd which is not affected), which can be verified with:\n\n show system processes extensive \| match \"KMD\|IKED\""
			`}`
			`],`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2022-12-27 17:00:43 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2023-01-13 00:00:40 +00:00			"value": "An Out-of-bounds Write vulnerability in the Internet Key Exchange Protocol daemon (iked) of Juniper Networks Junos OS on SRX series and MX with SPC3 allows an authenticated, network-based attacker to cause a Denial of Service (DoS). iked will crash and restart, and the tunnel will not come up when a peer sends a specifically formatted payload during the negotiation. This will impact other IKE negotiations happening at the same time. Continued receipt of this specifically formatted payload will lead to continuous crashing of iked and thereby the inability for any IKE negotiations to take place. Note that this payload is only processed after the authentication has successfully completed. So the issue can only be exploited by an attacker who can successfully authenticate. This issue affects Juniper Networks Junos OS on SRX Series, and MX Series with SPC3: All versions prior to 19.3R3-S7; 19.4 versions prior to 19.4R3-S9; 20.2 versions prior to 20.2R3-S5; 20.3 versions prior to 20.3R3-S5; 20.4 versions prior to 20.4R3-S4; 21.1 versions prior to 21.1R3-S3; 21.2 versions prior to 21.2R3-S2; 21.3 versions prior to 21.3R3-S1; 21.4 versions prior to 21.4R2-S1, 21.4R3; 22.1 versions prior to 22.1R1-S2, 22.1R2."
Juniper JSA publication 2023-01. See https://advisory.juniper.net for more information. 2023-01-12 18:38:37 -05:00			`}`
			`]`
			`},`
			`"exploit": [`
			`{`
			`"lang": "eng",`
			`"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."`
			`}`
			`],`
			`"generator": {`
			`"engine": "Vulnogram 0.0.9"`
			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "HIGH",`
			`"baseScore": 6.5,`
			`"baseSeverity": "MEDIUM",`
			`"confidentialityImpact": "NONE",`
			`"integrityImpact": "NONE",`
			`"privilegesRequired": "LOW",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "NONE",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-787 Out-of-bounds Write"`
			`}`
			`]`
			`},`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "Denial of Service (DoS)"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "https://kb.juniper.net/JSA70200",`
			`"refsource": "CONFIRM",`
			`"url": "https://kb.juniper.net/JSA70200"`
"-Synchronized-Data." 2022-12-27 17:00:43 +00:00			`}`
			`]`
Juniper JSA publication 2023-01. See https://advisory.juniper.net for more information. 2023-01-12 18:38:37 -05:00			`},`
			`"solution": [`
			`{`
			`"lang": "eng",`
			`"value": "The following software releases have been updated to resolve this specific issue: 19.3R3-S7, 19.4R3-S9, 20.2R3-S5, 20.3R3-S5, 20.4R3-S4, 21.1R3-S3, 21.2R3-S2, 21.3R3-S1, 21.4R2-S1, 21.4R3, 22.1R1-S2, 22.1R2, 22.2R1, and all subsequent releases."`
			`}`
			`],`
			`"source": {`
			`"advisory": "JSA70200",`
			`"defect": [`
			`"1665150"`
			`],`
			`"discovery": "USER"`
			`},`
			`"work_around": [`
			`{`
			`"lang": "eng",`
			`"value": "There are no known workarounds for this issue."`
			`}`
			`]`
"-Synchronized-Data." 2022-12-27 17:00:43 +00:00			`}`