"TITLE":"Junos OS: MX Series and SRX Series: The flow processing daemon (flowd) will crash if SIP ALG is enabled and a malformed SIP packet is received"
"value":"To be affected the SIP ALG needs to be enabled, either implicitly / by default or by way of configuration.\n\nPlease verify on SRX with:\n\n user@host> show security alg status | match sip\n SIP : Enabled\n\nPlease verify on MX whether the following is configured:\n\n [services ... rule <rule-name> (term <term-name> ) from/match application/application-set <name>]\nwhere either\n a. name = junos-sip\nor an application or application-set refers to SIP:\n b. [applications application <name> application-protocol sip]\nor\n c. [applications application-set <name> application junos-sip]"
"value":"A Buffer Overflow vulnerability in SIP ALG of Juniper Networks Junos OS allows a network-based, unauthenticated attacker to cause a Denial of Service (DoS). On all MX Series and SRX Series platform with SIP ALG enabled, when a malformed SIP packet is received, the flow processing daemon (flowd) will crash and restart. This issue affects: Juniper Networks Junos OS on MX Series and SRX Series 20.4 versions prior to 20.4R3-S5; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S2; 21.3 versions prior to 21.3R3-S1; 21.4 versions prior to 21.4R3; 22.1 versions prior to 22.1R1-S2, 22.1R2; 22.2 versions prior to 22.2R1-S1, 22.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 20.4R1 on SRX Series."
"value":"The following software releases have been updated to resolve this specific issue: 20.4R3-S5, 21.1R3-S4, 21.2R3-S2, 21.3R3-S1, 21.4R3, 22.1R1-S2, 22.1R2, 22.2R1-S1, 22.2R2, 22.3R1, and all subsequent releases.\n"
}
],
"source":{
"advisory":"JSA70212",
"defect":[
"1668830"
],
"discovery":"USER"
},
"work_around":[
{
"lang":"eng",
"value":"There are no known workarounds for this issue, but it should be considered to disable the SIP ALG if it's not strictly needed."
