CVE-2023-36849 : Exploit Details and Defense Strategies
Learn about CVE-2023-36849 affecting Junos OS and Junos OS Evolved, causing a Denial of Service (DoS) due to an improper check in Layer-2 control protocols daemon.
An Improper Check or Handling of Exceptional Conditions vulnerability in the Layer-2 control protocols daemon (l2cpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a Denial of Service (DoS). This vulnerability is only exploitable on interfaces with LLDP enabled.
Understanding CVE-2023-36849
This vulnerability affects Junos OS and Junos OS Evolved, leading to a DoS situation by crashing the l2cpd when a malformed LLDP packet is received.
What is CVE-2023-36849?
The CVE-2023-36849 vulnerability allows an unauthenticated adjacent attacker to exploit Layer-2 control protocols to cause a Denial of Service on affected Juniper Networks products.
The Impact of CVE-2023-36849
The impact of the vulnerability results in a crash and restart of the l2cpd, affecting various STP protocols and related services that depend on LLDP state. This can lead to a sustained Denial of Service.
Technical Details of CVE-2023-36849
Vulnerability Description
When a malformed LLDP packet is received, the l2cpd crashes and restarts, causing disruption to STP protocols, MVRP, and ERP, as well as services like PoE or VoIP device recognition.
Affected Systems and Versions
- Juniper Networks Junos OS: Versions prior to 21.4R3-S3, 22.1R3-S3, 22.2R2-S1, 22.2R3, 22.3R2
- Juniper Networks Junos OS Evolved: Versions prior to 21.4R3-S2-EVO, 22.1R3-S3-EVO, 22.2R2-S1-EVO, 22.2R3-EVO, 22.3R2-EVO
Exploitation Mechanism
Juniper SIRT has not detected any malicious exploitation of this vulnerability.
Mitigation and Prevention
Immediate Steps to Take
There are no available workarounds for this issue. If LLDP and its services are not required, the vulnerability can be mitigated by disabling LLDP.
Long-Term Security Practices
Ensure that Junos OS and Junos OS Evolved are updated to the following versions or later:
- Junos OS: 21.4R3-S3, 22.1R3-S3, 22.2R2-S1, 22.2R3, 22.3R2, 22.4R1, and subsequent releases.
- Junos OS Evolved: 21.4R3-S2-EVO, 22.1R3-S3-EVO, 22.2R2-S1-EVO, 22.2R3-EVO, 22.3R2-EVO, 22.4R1-EVO, and subsequent releases.
Patching and Updates
Refer to the Juniper Networks advisory JSA71660 for software releases addressing this specific vulnerability.