"value":"An Improper Check for Unusual or Exceptional Conditions vulnerability in the packetIO daemon of Juniper Networks Junos OS Evolved on PTX10003, PTX10004, and PTX10008 allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). Continued receipt of these crafted packets will cause a sustained Denial of Service condition. This issue affects Juniper Networks Junos OS Evolved all versions prior to 20.4R2-S3-EVO on PTX10003, PTX10004, and PTX10008. This issue does not affect: Juniper Networks Junos OS Evolved versions 21.1R1-EVO and above; Juniper Networks Junos OS."
"value":"The following software releases have been updated to resolve this specific issue: 20.4R2-S3-EVO, 20.4R3-EVO.\n"
}
],
"source":{
"advisory":"JSA69505",
"defect":[
"1614171"
],
"discovery":"USER"
},
"work_around":[
{
"lang":"eng",
"value":"One characteristic of this vulnerability is that an FPC restart will only be triggered by a crafted GRE packet which has its' TTL set to 0 or 1 so as a workaround a filter can be implemented that drops such packets:\n\n set firewall family inet filter GREfilter term 1 from protocol gre\n set firewall family inet filter GREfilter term 1 from ttl 0\n set firewall family inet filter GREfilter term 1 then count gre-ttl-0\n set firewall family inet filter GREfilter term 1 then discard\n set firewall family inet filter GREfilter term 2 from protocol gre\n set firewall family inet filter GREfilter term 2 from ttl 1\n set firewall family inet filter GREfilter term 2 then count gre-ttl-1\n set firewall family inet filter GREfilter term 2 then discard\n set firewall family inet filter GREfilter term default then accept\n\nAn equivalent filter for family inet6 is required if IPv6 is configured on at least one interface."
