CVE-2020-1655: Junos OS: MX Series: PFE crash on MPC7/8/9 upon receipt of large packets requiring fragmentation
First published: Fri Jul 17 2020(Updated: )
When a device running Juniper Networks Junos OS with MPC7, MPC8, or MPC9 line cards installed and the system is configured for inline IP reassembly, used by L2TP, MAP-E, GRE, and IPIP, the packet forwarding engine (PFE) will become disabled upon receipt of large packets requiring fragmentation, generating the following error messages: [LOG: Err] MQSS(0): WO: Packet Error - Error Packets 1, Connection 29 [LOG: Err] eachip_hmcif_rx_intr_handler(7259): EA[0:0]: HMCIF Rx: Injected checksum error detected on WO response - Chunk Address 0x0 [LOG: Err] MQSS(0): DRD: RORD1: CMD reorder ID error - Command 11, Reorder ID 1838, QID 0 [LOG: Err] MQSS(0): DRD: UNROLL0: HMC chunk length error in stage 5 - Chunk Address: 0x4321f3 [LOG: Err] MQSS(0): DRD: UNROLL0: HMC chunk address error in stage 5 - Chunk Address: 0x0 [LOG: Notice] Error: /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc), scope: pfe, category: functional, severity: major, module: MQSS(0), type: DRD_RORD_ENG_INT: CMD FSM State Error [LOG: Notice] Performing action cmalarm for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major [LOG: Notice] Performing action get-state for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major [LOG: Notice] Performing action disable-pfe for error /fpc/8/pfe/0/cm/0/MQSS(0)/0/MQSS_CMERROR_DRD_RORD_ENG_INT_REG_CMD_FSM_STATE_ERR (0x2203cc) in module: MQSS(0) with scope: pfe category: functional level: major By continuously sending fragmented packets that cannot be reassembled, an attacker can repeatedly disable the PFE causing a sustained Denial of Service (DoS). This issue affects Juniper Networks Junos OS: 17.2 versions prior to 17.2R3-S4 on MX Series; 17.3 versions prior to 17.3R3-S8 on MX Series; 17.4 versions prior to 17.4R2-S10, 17.4R3-S2 on MX Series; 18.1 versions prior to 18.1R3-S10 on MX Series; 18.2 versions prior to 18.2R3-S3 on MX Series; 18.2X75 versions prior to 18.2X75-D41, 18.2X75-D430, 18.2X75-D65 on MX Series; 18.3 versions prior to 18.3R1-S7, 18.3R2-S4, 18.3R3-S1 on MX Series; 18.4 versions prior to 18.4R1-S7, 18.4R2-S4, 18.4R3 on MX Series; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3 on MX Series; 19.2 versions prior to 19.2R1-S4, 19.2R2 on MX Series; 19.3 versions prior to 19.3R2-S2, 19.3R3 on MX Series. This issue is specific to inline IP reassembly, introduced in Junos OS 17.2. Versions of Junos OS prior to 17.2 are unaffected by this vulnerability.
Credit: sirt@juniper.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Juniper Junos | =17.2 | |
| Juniper Junos | =17.2-r1 | |
| Juniper Junos | =17.2-r1-s1 | |
| Juniper Junos | =17.2-r1-s2 | |
| Juniper Junos | =17.2-r1-s3 | |
| Juniper Junos | =17.2-r1-s4 | |
| Juniper Junos | =17.2-r1-s5 | |
| Juniper Junos | =17.2-r1-s7 | |
| Juniper Junos | =17.2-r1-s8 | |
| Juniper Junos | =17.2-r2 | |
| Juniper Junos | =17.2-r2-s11 | |
| Juniper Junos | =17.2-r2-s6 | |
| Juniper Junos | =17.2-r2-s7 | |
| Juniper Junos | =17.2-r3-s1 | |
| Juniper Junos | =17.2-r3-s2 | |
| Juniper Junos | =17.2-r3-s3 | |
| Juniper Junos | =17.3 | |
| Juniper Junos | =17.3-r1-s1 | |
| Juniper Junos | =17.3-r2 | |
| Juniper Junos | =17.3-r2-s1 | |
| Juniper Junos | =17.3-r2-s2 | |
| Juniper Junos | =17.3-r2-s3 | |
| Juniper Junos | =17.3-r2-s4 | |
| Juniper Junos | =17.3-r3 | |
| Juniper Junos | =17.3-r3-s1 | |
| Juniper Junos | =17.3-r3-s2 | |
| Juniper Junos | =17.3-r3-s3 | |
| Juniper Junos | =17.3-r3-s4 | |
| Juniper Junos | =17.3-r3-s7 | |
| Juniper Junos | =17.4 | |
| Juniper Junos | =17.4-r1 | |
| Juniper Junos | =17.4-r1-s1 | |
| Juniper Junos | =17.4-r1-s2 | |
| Juniper Junos | =17.4-r1-s4 | |
| Juniper Junos | =17.4-r1-s5 | |
| Juniper Junos | =17.4-r1-s6 | |
| Juniper Junos | =17.4-r1-s7 | |
| Juniper Junos | =17.4-r2 | |
| Juniper Junos | =17.4-r2-s1 | |
| Juniper Junos | =17.4-r2-s10 | |
| Juniper Junos | =17.4-r2-s2 | |
| Juniper Junos | =17.4-r2-s3 | |
| Juniper Junos | =17.4-r2-s4 | |
| Juniper Junos | =17.4-r2-s5 | |
| Juniper Junos | =17.4-r2-s6 | |
| Juniper Junos | =17.4-r2-s7 | |
| Juniper Junos | =17.4-r2-s8 | |
| Juniper Junos | =17.4-r2-s9 | |
| Juniper Junos | =17.4-r3 | |
| Juniper Junos | =17.4-r3-s1 | |
| Juniper Junos | =18.1 | |
| Juniper Junos | =18.1-r1 | |
| Juniper Junos | =18.1-r2 | |
| Juniper Junos | =18.1-r2-s1 | |
| Juniper Junos | =18.1-r2-s2 | |
| Juniper Junos | =18.1-r2-s4 | |
| Juniper Junos | =18.1-r3 | |
| Juniper Junos | =18.1-r3-s1 | |
| Juniper Junos | =18.1-r3-s2 | |
| Juniper Junos | =18.1-r3-s3 | |
| Juniper Junos | =18.1-r3-s4 | |
| Juniper Junos | =18.1-r3-s6 | |
| Juniper Junos | =18.1-r3-s7 | |
| Juniper Junos | =18.1-r3-s8 | |
| Juniper Junos | =18.1-r3-s9 | |
| Juniper Junos | =18.2 | |
| Juniper Junos | =18.2-r1 | |
| Juniper Junos | =18.2-r1 | |
| Juniper Junos | =18.2-r1-s3 | |
| Juniper Junos | =18.2-r1-s4 | |
| Juniper Junos | =18.2-r1-s5 | |
| Juniper Junos | =18.2-r2 | |
| Juniper Junos | =18.2-r2-s1 | |
| Juniper Junos | =18.2-r2-s2 | |
| Juniper Junos | =18.2-r2-s3 | |
| Juniper Junos | =18.2-r2-s4 | |
| Juniper Junos | =18.2-r2-s5 | |
| Juniper Junos | =18.2-r3 | |
| Juniper Junos | =18.2-r3-s1 | |
| Juniper Junos | =18.2-r3-s2 | |
| Juniper Junos | =18.2x75 | |
| Juniper Junos | =18.2x75-d20 | |
| Juniper Junos | =18.2x75-d30 | |
| Juniper Junos | =18.2x75-d40 | |
| Juniper Junos | =18.3 | |
| Juniper Junos | =18.3-r1 | |
| Juniper Junos | =18.3-r1-s1 | |
| Juniper Junos | =18.3-r1-s2 | |
| Juniper Junos | =18.3-r1-s3 | |
| Juniper Junos | =18.3-r1-s5 | |
| Juniper Junos | =18.3-r1-s6 | |
| Juniper Junos | =18.3-r2 | |
| Juniper Junos | =18.3-r2-s1 | |
| Juniper Junos | =18.3-r2-s2 | |
| Juniper Junos | =18.3-r2-s3 | |
| Juniper Junos | =18.3-r3 | |
| Juniper Junos | =18.4 | |
| Juniper Junos | =18.4-r1 | |
| Juniper Junos | =18.4-r1-s1 | |
| Juniper Junos | =18.4-r1-s2 | |
| Juniper Junos | =18.4-r1-s5 | |
| Juniper Junos | =18.4-r1-s6 | |
| Juniper Junos | =18.4-r2 | |
| Juniper Junos | =18.4-r2-s1 | |
| Juniper Junos | =18.4-r2-s2 | |
| Juniper Junos | =18.4-r2-s3 | |
| Juniper Junos | =19.1 | |
| Juniper Junos | =19.1-r1 | |
| Juniper Junos | =19.1-r1-s1 | |
| Juniper Junos | =19.1-r1-s2 | |
| Juniper Junos | =19.1-r1-s3 | |
| Juniper Junos | =19.1-r1-s4 | |
| Juniper Junos | =19.1-r2 | |
| Juniper Junos | =19.2 | |
| Juniper Junos | =19.2-r1 | |
| Juniper Junos | =19.2-r1-s1 | |
| Juniper Junos | =19.2-r1-s2 | |
| Juniper Junos | =19.2-r1-s3 | |
| Juniper Junos | =19.3 | |
| Juniper Junos | =19.3-r1 | |
| Juniper Junos | =19.3-r1-s1 | |
| Juniper Junos | =19.3-r2 | |
| Juniper Junos | =19.3-r2-s1 | |
| Juniper MX10 | ||
| juniper mx10000 | ||
| Juniper MX10003 | ||
| Juniper MX104 | ||
| Juniper MX150 | ||
| Juniper MX2008 | ||
| Juniper MX2010 | ||
| Juniper MX2020 | ||
| Juniper MX204 | ||
| Juniper MX240 | ||
| Juniper MX40 | ||
| Juniper MX480 | ||
| Juniper MX5 | ||
| Juniper MX80 | ||
| Juniper MX960 |
Remedy
The following software releases have been updated to resolve this specific issue: Junos OS 17.2R3-S4, 17.3R3-S8, 17.4R2-S10, 17.4R3-S2, 18.1R3-S10, 18.2R3-S3, 18.2X75-D41, 18.2X75-D430, 18.2X75-D65, 18.3R1-S7, 18.3R2-S4, 18.3R3-S1, 18.4R1-S7, 18.4R2-S4, 18.4R3, 19.1R1-S5, 19.1R2-S1, 19.1R3, 19.2R1-S4, 19.2R2, 19.3R2-S2, 19.3R3, 19.4R1, 19.4R2, 20.1R1, and all subsequent releases.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-1655?
CVE-2020-1655 is classified as high severity due to its potential to disable the packet forwarding engine upon receiving large packets.
How do I fix CVE-2020-1655?
To fix CVE-2020-1655, upgrade to a version of Junos OS that is not affected by this vulnerability, specifically versions newer than those specified in the advisory.
Which versions of Junos OS are affected by CVE-2020-1655?
CVE-2020-1655 affects Junos OS versions 17.2, 17.3, 17.4, and 18.1 as well as their specific revisions.
Who is affected by CVE-2020-1655?
Anyone using Juniper Networks Junos OS with specific MPC line cards configured for inline IP reassembly is potentially affected by CVE-2020-1655.
Can CVE-2020-1655 impact network availability?
Yes, CVE-2020-1655 can severely impact network availability by causing the packet forwarding engine to become disabled.
- agent/references
- agent/type
- agent/softwarecombine
- agent/title
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/juniper
- canonical/juniper junos
- version/juniper junos/17.2
- version/juniper junos/17.2-r1
- version/juniper junos/17.2-r1-s1
- version/juniper junos/17.2-r1-s2
- version/juniper junos/17.2-r1-s3
- version/juniper junos/17.2-r1-s4
- version/juniper junos/17.2-r1-s5
- version/juniper junos/17.2-r1-s7
- version/juniper junos/17.2-r1-s8
- version/juniper junos/17.2-r2
- version/juniper junos/17.2-r2-s11
- version/juniper junos/17.2-r2-s6
- version/juniper junos/17.2-r2-s7
- version/juniper junos/17.2-r3-s1
- version/juniper junos/17.2-r3-s2
- version/juniper junos/17.2-r3-s3
- version/juniper junos/17.3
- version/juniper junos/17.3-r1-s1
- version/juniper junos/17.3-r2
- version/juniper junos/17.3-r2-s1
- version/juniper junos/17.3-r2-s2
- version/juniper junos/17.3-r2-s3
- version/juniper junos/17.3-r2-s4
- version/juniper junos/17.3-r3
- version/juniper junos/17.3-r3-s1
- version/juniper junos/17.3-r3-s2
- version/juniper junos/17.3-r3-s3
- version/juniper junos/17.3-r3-s4
- version/juniper junos/17.3-r3-s7
- version/juniper junos/17.4
- version/juniper junos/17.4-r1
- version/juniper junos/17.4-r1-s1
- version/juniper junos/17.4-r1-s2
- version/juniper junos/17.4-r1-s4
- version/juniper junos/17.4-r1-s5
- version/juniper junos/17.4-r1-s6
- version/juniper junos/17.4-r1-s7
- version/juniper junos/17.4-r2
- version/juniper junos/17.4-r2-s1
- version/juniper junos/17.4-r2-s10
- version/juniper junos/17.4-r2-s2
- version/juniper junos/17.4-r2-s3
- version/juniper junos/17.4-r2-s4
- version/juniper junos/17.4-r2-s5
- version/juniper junos/17.4-r2-s6
- version/juniper junos/17.4-r2-s7
- version/juniper junos/17.4-r2-s8
- version/juniper junos/17.4-r2-s9
- version/juniper junos/17.4-r3
- version/juniper junos/17.4-r3-s1
- version/juniper junos/18.1
- version/juniper junos/18.1-r1
- version/juniper junos/18.1-r2
- version/juniper junos/18.1-r2-s1
- version/juniper junos/18.1-r2-s2
- version/juniper junos/18.1-r2-s4
- version/juniper junos/18.1-r3
- version/juniper junos/18.1-r3-s1
- version/juniper junos/18.1-r3-s2
- version/juniper junos/18.1-r3-s3
- version/juniper junos/18.1-r3-s4
- version/juniper junos/18.1-r3-s6
- version/juniper junos/18.1-r3-s7
- version/juniper junos/18.1-r3-s8
- version/juniper junos/18.1-r3-s9
- version/juniper junos/18.2
- version/juniper junos/18.2-r1
- version/juniper junos/18.2-r1-s3
- version/juniper junos/18.2-r1-s4
- version/juniper junos/18.2-r1-s5
- version/juniper junos/18.2-r2
- version/juniper junos/18.2-r2-s1
- version/juniper junos/18.2-r2-s2
- version/juniper junos/18.2-r2-s3
- version/juniper junos/18.2-r2-s4
- version/juniper junos/18.2-r2-s5
- version/juniper junos/18.2-r3
- version/juniper junos/18.2-r3-s1
- version/juniper junos/18.2-r3-s2
- version/juniper junos/18.2x75
- version/juniper junos/18.2x75-d20
- version/juniper junos/18.2x75-d30
- version/juniper junos/18.2x75-d40
- version/juniper junos/18.3
- version/juniper junos/18.3-r1
- version/juniper junos/18.3-r1-s1
- version/juniper junos/18.3-r1-s2
- version/juniper junos/18.3-r1-s3
- version/juniper junos/18.3-r1-s5
- version/juniper junos/18.3-r1-s6
- version/juniper junos/18.3-r2
- version/juniper junos/18.3-r2-s1
- version/juniper junos/18.3-r2-s2
- version/juniper junos/18.3-r2-s3
- version/juniper junos/18.3-r3
- version/juniper junos/18.4
- version/juniper junos/18.4-r1
- version/juniper junos/18.4-r1-s1
- version/juniper junos/18.4-r1-s2
- version/juniper junos/18.4-r1-s5
- version/juniper junos/18.4-r1-s6
- version/juniper junos/18.4-r2
- version/juniper junos/18.4-r2-s1
- version/juniper junos/18.4-r2-s2
- version/juniper junos/18.4-r2-s3
- version/juniper junos/19.1
- version/juniper junos/19.1-r1
- version/juniper junos/19.1-r1-s1
- version/juniper junos/19.1-r1-s2
- version/juniper junos/19.1-r1-s3
- version/juniper junos/19.1-r1-s4
- version/juniper junos/19.1-r2
- version/juniper junos/19.2
- version/juniper junos/19.2-r1
- version/juniper junos/19.2-r1-s1
- version/juniper junos/19.2-r1-s2
- version/juniper junos/19.2-r1-s3
- version/juniper junos/19.3
- version/juniper junos/19.3-r1
- version/juniper junos/19.3-r1-s1
- version/juniper junos/19.3-r2
- version/juniper junos/19.3-r2-s1
- canonical/juniper mx10
- canonical/juniper mx10000
- canonical/juniper mx10003
- canonical/juniper mx104
- canonical/juniper mx150
- canonical/juniper mx2008
- canonical/juniper mx2010
- canonical/juniper mx2020
- canonical/juniper mx204
- canonical/juniper mx240
- canonical/juniper mx40
- canonical/juniper mx480
- canonical/juniper mx5
- canonical/juniper mx80
- canonical/juniper mx960