CVE-2022-22211 Explained : Impact and Mitigation
Discover the impacts, affected systems, and mitigation steps for CVE-2022-22211, a Junos OS Evolved vulnerability. Learn how to prevent a Denial of Service on Juniper PTX Series.
A limitless resource allocation vulnerability in FPC resources of Juniper Networks Junos OS Evolved on PTX Series allows an unprivileged attacker to cause Denial of Service (DoS). Continuously polling the SNMP jnxCosQstatTable causes the FPC to run out of GUID space, resulting in a Denial of Service to the FPC resources. This issue affects multiple versions of Junos OS Evolved on PTX Series.
Understanding CVE-2022-22211
This CVE involves a vulnerability in Juniper Networks Junos OS Evolved on PTX Series that can lead to a Denial of Service (DoS) attack due to continuous polling of a specific SNMP OID.
What is CVE-2022-22211?
CVE-2022-22211 is a vulnerability in FPC resources of Juniper Networks Junos OS Evolved on PTX Series that allows an attacker to exhaust GUID space through continuous polling of a specific SNMP OID, resulting in a Denial of Service (DoS) condition.
The Impact of CVE-2022-22211
The impact of this vulnerability is the unavailability of FPC resources on affected devices, leading to service disruption and potential network outages.
Technical Details of CVE-2022-22211
Vulnerability Description
The vulnerability allows an unprivileged attacker to exhaust GUID space in FPC resources by continuously polling a specific SNMP OID, causing a Denial of Service to the affected FPC.
Affected Systems and Versions
- Vendor: Juniper Networks
- Product: Junos OS Evolved
- Affected Versions: All versions prior to 20.4R3-S4-EVO; 21.1-EVO version 21.1R1-EVO and later versions; 21.2-EVO version 21.2R1-EVO and later versions; 21.3-EVO versions prior to 21.3R3-EVO; 21.4-EVO versions prior to 21.4R2-EVO; 22.1-EVO versions prior to 22.1R2-EVO
- Platforms: PTX Series
Exploitation Mechanism
The exploitation involves continuously polling the specific SNMP OID, jnxCosQstatTable, leading to exhaustion of GUID space in FPC resources and subsequent Denial of Service.
Mitigation and Prevention
Immediate Steps to Take
To mitigate the CVE-2022-22211 vulnerability, exclude the MIB from being polled and consider implementing additional security measures such as disabling SNMP (if not required), utilizing edge filtering, access control lists, and SNMPv3 authentication.
Long-Term Security Practices
It is recommended to limit access to critical infrastructure networking equipment by configuring access lists or firewall filters to only allow connections from trusted networks, administrators, and hosts.
Patching and Updates
Ensure your systems are updated to the following software releases which address the vulnerability: Junos OS Evolved 20.4R3-S4-EVO, 21.3R3-EVO, 21.4R2-EVO, 22.1R2-EVO, 22.2R1-EVO, and all subsequent releases.
For more details and workaround recommendations, visit the Juniper Networks advisory page for JSA69916.