CVE-2021-0207: NFX250, NFX350, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series: Certain genuine traffic received by the Junos OS device will be discarded instead of forwarded.
First published: Fri Jan 15 2021(Updated: )
An improper interpretation conflict of certain data between certain software components within the Juniper Networks Junos OS devices does not allow certain traffic to pass through the device upon receipt from an ingress interface filtering certain specific types of traffic which is then being redirected to an egress interface on a different VLAN. This causes a Denial of Service (DoS) to those clients sending these particular types of traffic. Such traffic being sent by a client may appear genuine, but is non-standard in nature and should be considered as potentially malicious, and can be targeted to the device, or destined through it for the issue to occur. This issues affects IPv4 and IPv6 traffic. An indicator of compromise may be found by checking log files. You may find that traffic on the input interface has 100% of traffic flowing into the device, yet the egress interface shows 0 pps leaving the device. For example: [show interfaces "interface" statistics detail] Output between two interfaces would reveal something similar to: Ingress, first interface: -------------------- Interface Link Input packets (pps) Output packets (pps) et-0/0/0 Up 9999999999 (9999) 1 (0) -------------------- Egress, second interface: -------------------- Interface Link Input packets (pps) Output packets (pps) et-0/0/1 Up 0 (0) 9999999999 (0) -------------------- Dropped packets will not show up in DDoS monitoring/protection counters as issue is not caused by anti-DDoS protection mechanisms. This issue affects: Juniper Networks Junos OS: 17.3 versions prior to 17.3R3-S7 on NFX250, QFX5K Series, EX4600; 17.4 versions prior to 17.4R2-S11, 17.4R3-S3 on NFX250, QFX5K Series, EX4600; 18.1 versions prior to 18.1R3-S9 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4600; 18.2 versions prior to 18.2R3-S3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600; 18.3 versions prior to 18.3R3-S1 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.1 versions prior to 19.1R1-S5, 19.1R2-S1, 19.1R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.2 versions prior to 19.2R1-S5, 19.2R2 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.3 versions prior to 19.3R2-S3, 19.3R3 on NFX250, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series; 19.4 versions prior to 19.4R1-S2, 19.4R2 on NFX250, NFX350, QFX5K Series, EX2300 Series, EX3400 Series, EX4300 Multigigabit, EX4600 Series. This issue does not affect Junos OS releases prior to 17.2R2.
Credit: sirt@juniper.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Juniper Junos | =17.3 | |
| Juniper Junos | =17.3-r1-s1 | |
| Juniper Junos | =17.3-r2 | |
| Juniper Junos | =17.3-r2-s1 | |
| Juniper Junos | =17.3-r2-s2 | |
| Juniper Junos | =17.3-r2-s3 | |
| Juniper Junos | =17.3-r2-s4 | |
| Juniper Junos | =17.3-r2-s5 | |
| Juniper Junos | =17.3-r3 | |
| Juniper Junos | =17.3-r3-s1 | |
| Juniper Junos | =17.3-r3-s2 | |
| Juniper Junos | =17.3-r3-s3 | |
| Juniper Junos | =17.3-r3-s4 | |
| Juniper Junos | =17.3-r3-s5 | |
| Juniper Junos | =17.3-r3-s6 | |
| Juniper Junos | =17.4 | |
| Juniper Junos | =17.4-r1 | |
| Juniper Junos | =17.4-r1-s1 | |
| Juniper Junos | =17.4-r1-s2 | |
| Juniper Junos | =17.4-r1-s4 | |
| Juniper Junos | =17.4-r1-s5 | |
| Juniper Junos | =17.4-r1-s6 | |
| Juniper Junos | =17.4-r1-s7 | |
| Juniper Junos | =17.4-r2 | |
| Juniper Junos | =17.4-r2-s1 | |
| Juniper Junos | =17.4-r2-s10 | |
| Juniper Junos | =17.4-r2-s2 | |
| Juniper Junos | =17.4-r2-s3 | |
| Juniper Junos | =17.4-r2-s4 | |
| Juniper Junos | =17.4-r2-s5 | |
| Juniper Junos | =17.4-r2-s6 | |
| Juniper Junos | =17.4-r2-s7 | |
| Juniper Junos | =17.4-r2-s8 | |
| Juniper Junos | =17.4-r2-s9 | |
| Juniper Junos | =17.4-r3 | |
| Juniper Junos | =17.4-r3-s1 | |
| Juniper Junos | =17.4-r3-s2 | |
| Juniper EX4600 | ||
| Juniper NFX | ||
| Juniper QFX5100 | ||
| Juniper QFX5110 | ||
| Juniper QFX5120 | ||
| Juniper QFX5130 | ||
| Juniper QFX5200-48Y | ||
| Juniper QFX5210-64C | ||
| Juniper QFX5220 | ||
| Juniper Junos | =18.1 | |
| Juniper Junos | =18.1-r1 | |
| Juniper Junos | =18.1-r2 | |
| Juniper Junos | =18.1-r2-s1 | |
| Juniper Junos | =18.1-r2-s2 | |
| Juniper Junos | =18.1-r2-s4 | |
| Juniper Junos | =18.1-r3 | |
| Juniper Junos | =18.1-r3-s1 | |
| Juniper Junos | =18.1-r3-s2 | |
| Juniper Junos | =18.1-r3-s3 | |
| Juniper Junos | =18.1-r3-s4 | |
| Juniper Junos | =18.1-r3-s6 | |
| Juniper Junos | =18.1-r3-s7 | |
| Juniper Junos | =18.1-r3-s8 | |
| Juniper EX2300-24T | ||
| Juniper EX3400 | ||
| Juniper Junos | =18.2 | |
| Juniper Junos | =18.2-r1 | |
| Juniper Junos | =18.2-r1 | |
| Juniper Junos | =18.2-r1-s3 | |
| Juniper Junos | =18.2-r1-s4 | |
| Juniper Junos | =18.2-r1-s5 | |
| Juniper Junos | =18.2-r2 | |
| Juniper Junos | =18.2-r2-s1 | |
| Juniper Junos | =18.2-r2-s2 | |
| Juniper Junos | =18.2-r2-s3 | |
| Juniper Junos | =18.2-r2-s4 | |
| Juniper Junos | =18.2-r2-s5 | |
| Juniper Junos | =18.2-r2-s6 | |
| Juniper Junos | =18.2-r3 | |
| Juniper Junos | =18.2-r3-s1 | |
| Juniper Junos | =18.2-r3-s2 | |
| Juniper Junos | =18.3 | |
| Juniper Junos | =18.3-r1 | |
| Juniper Junos | =18.3-r1-s1 | |
| Juniper Junos | =18.3-r1-s2 | |
| Juniper Junos | =18.3-r1-s3 | |
| Juniper Junos | =18.3-r1-s5 | |
| Juniper Junos | =18.3-r1-s6 | |
| Juniper Junos | =18.3-r2 | |
| Juniper Junos | =18.3-r2-s1 | |
| Juniper Junos | =18.3-r2-s2 | |
| Juniper Junos | =18.3-r2-s3 | |
| Juniper Junos | =18.3-r2-s4 | |
| Juniper Junos | =18.3-r3 | |
| Juniper Junos | =18.4 | |
| Juniper Junos | =18.4-r1 | |
| Juniper Junos | =18.4-r1-s1 | |
| Juniper Junos | =18.4-r1-s2 | |
| Juniper Junos | =18.4-r1-s3 | |
| Juniper Junos | =18.4-r1-s4 | |
| Juniper Junos | =18.4-r2 | |
| Juniper Junos | =18.4-r2-s1 | |
| Juniper Junos | =18.4-r2-s2 | |
| Juniper Junos | =19.1 | |
| Juniper Junos | =19.1-r1 | |
| Juniper Junos | =19.1-r1-s1 | |
| Juniper Junos | =19.1-r1-s2 | |
| Juniper Junos | =19.1-r1-s3 | |
| Juniper Junos | =19.1-r1-s4 | |
| Juniper Junos | =19.1-r2 | |
| Juniper Junos | =19.2 | |
| Juniper Junos | =19.2-r1 | |
| Juniper Junos | =19.2-r1-s1 | |
| Juniper Junos | =19.2-r1-s2 | |
| Juniper Junos | =19.2-r1-s3 | |
| Juniper Junos | =19.2-r1-s4 | |
| Juniper Junos | =19.3 | |
| Juniper Junos | =19.3-r1 | |
| Juniper Junos | =19.3-r1-s1 | |
| Juniper Junos | =19.3-r2 | |
| Juniper Junos | =19.3-r2-s1 | |
| Juniper Junos | =19.3-r2-s2 | |
| Juniper EX4300-24T | ||
| Juniper Junos | =19.4-r1 | |
| Juniper Junos | =19.4-r1-s1 | |
| Juniper NFX Series |
Remedy
The following software releases have been updated to resolve this specific issue: 17.3R3-S7, 17.4R2-S11, 17.4R3-S3, 18.1R3-S9, 18.2R3-S3, 18.3R3-S1, 18.4R1-S5, 18.4R2-S3, 18.4R3, 19.1R1-S5, 19.1R2-S1, 19.1R3, 19.2R1-S5, 19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S2, 19.4R2, 20.1R1 and all subsequent releases.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-0207?
CVE-2021-0207 has been classified with a severity rating that may vary depending on specific devices and configurations within the Juniper Networks Junos OS.
How do I fix CVE-2021-0207?
To address CVE-2021-0207, it is recommended to upgrade to a fixed version of Junos OS as provided by Juniper Networks.
What versions of Junos OS are affected by CVE-2021-0207?
CVE-2021-0207 affects multiple versions of Junos OS including 17.3, 17.4, and various builds of 18.x and 19.x.
Is CVE-2021-0207 being actively exploited?
As of current data, there is no public evidence indicating that CVE-2021-0207 is being actively exploited in the wild.
What types of devices are impacted by CVE-2021-0207?
CVE-2021-0207 impacts certain Juniper Networks devices running specific versions of Junos OS, including routers and switches.
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/title
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/juniper
- canonical/juniper junos
- version/juniper junos/17.3
- version/juniper junos/17.3-r1-s1
- version/juniper junos/17.3-r2
- version/juniper junos/17.3-r2-s1
- version/juniper junos/17.3-r2-s2
- version/juniper junos/17.3-r2-s3
- version/juniper junos/17.3-r2-s4
- version/juniper junos/17.3-r2-s5
- version/juniper junos/17.3-r3
- version/juniper junos/17.3-r3-s1
- version/juniper junos/17.3-r3-s2
- version/juniper junos/17.3-r3-s3
- version/juniper junos/17.3-r3-s4
- version/juniper junos/17.3-r3-s5
- version/juniper junos/17.3-r3-s6
- version/juniper junos/17.4
- version/juniper junos/17.4-r1
- version/juniper junos/17.4-r1-s1
- version/juniper junos/17.4-r1-s2
- version/juniper junos/17.4-r1-s4
- version/juniper junos/17.4-r1-s5
- version/juniper junos/17.4-r1-s6
- version/juniper junos/17.4-r1-s7
- version/juniper junos/17.4-r2
- version/juniper junos/17.4-r2-s1
- version/juniper junos/17.4-r2-s10
- version/juniper junos/17.4-r2-s2
- version/juniper junos/17.4-r2-s3
- version/juniper junos/17.4-r2-s4
- version/juniper junos/17.4-r2-s5
- version/juniper junos/17.4-r2-s6
- version/juniper junos/17.4-r2-s7
- version/juniper junos/17.4-r2-s8
- version/juniper junos/17.4-r2-s9
- version/juniper junos/17.4-r3
- version/juniper junos/17.4-r3-s1
- version/juniper junos/17.4-r3-s2
- canonical/juniper ex4600
- canonical/juniper nfx
- canonical/juniper qfx5100
- canonical/juniper qfx5110
- canonical/juniper qfx5120
- canonical/juniper qfx5130
- canonical/juniper qfx5200-48y
- canonical/juniper qfx5210-64c
- canonical/juniper qfx5220
- version/juniper junos/18.1
- version/juniper junos/18.1-r1
- version/juniper junos/18.1-r2
- version/juniper junos/18.1-r2-s1
- version/juniper junos/18.1-r2-s2
- version/juniper junos/18.1-r2-s4
- version/juniper junos/18.1-r3
- version/juniper junos/18.1-r3-s1
- version/juniper junos/18.1-r3-s2
- version/juniper junos/18.1-r3-s3
- version/juniper junos/18.1-r3-s4
- version/juniper junos/18.1-r3-s6
- version/juniper junos/18.1-r3-s7
- version/juniper junos/18.1-r3-s8
- canonical/juniper ex2300-24t
- canonical/juniper ex3400
- version/juniper junos/18.2
- version/juniper junos/18.2-r1
- version/juniper junos/18.2-r1-s3
- version/juniper junos/18.2-r1-s4
- version/juniper junos/18.2-r1-s5
- version/juniper junos/18.2-r2
- version/juniper junos/18.2-r2-s1
- version/juniper junos/18.2-r2-s2
- version/juniper junos/18.2-r2-s3
- version/juniper junos/18.2-r2-s4
- version/juniper junos/18.2-r2-s5
- version/juniper junos/18.2-r2-s6
- version/juniper junos/18.2-r3
- version/juniper junos/18.2-r3-s1
- version/juniper junos/18.2-r3-s2
- version/juniper junos/18.3
- version/juniper junos/18.3-r1
- version/juniper junos/18.3-r1-s1
- version/juniper junos/18.3-r1-s2
- version/juniper junos/18.3-r1-s3
- version/juniper junos/18.3-r1-s5
- version/juniper junos/18.3-r1-s6
- version/juniper junos/18.3-r2
- version/juniper junos/18.3-r2-s1
- version/juniper junos/18.3-r2-s2
- version/juniper junos/18.3-r2-s3
- version/juniper junos/18.3-r2-s4
- version/juniper junos/18.3-r3
- version/juniper junos/18.4
- version/juniper junos/18.4-r1
- version/juniper junos/18.4-r1-s1
- version/juniper junos/18.4-r1-s2
- version/juniper junos/18.4-r1-s3
- version/juniper junos/18.4-r1-s4
- version/juniper junos/18.4-r2
- version/juniper junos/18.4-r2-s1
- version/juniper junos/18.4-r2-s2
- version/juniper junos/19.1
- version/juniper junos/19.1-r1
- version/juniper junos/19.1-r1-s1
- version/juniper junos/19.1-r1-s2
- version/juniper junos/19.1-r1-s3
- version/juniper junos/19.1-r1-s4
- version/juniper junos/19.1-r2
- version/juniper junos/19.2
- version/juniper junos/19.2-r1
- version/juniper junos/19.2-r1-s1
- version/juniper junos/19.2-r1-s2
- version/juniper junos/19.2-r1-s3
- version/juniper junos/19.2-r1-s4
- version/juniper junos/19.3
- version/juniper junos/19.3-r1
- version/juniper junos/19.3-r1-s1
- version/juniper junos/19.3-r2
- version/juniper junos/19.3-r2-s1
- version/juniper junos/19.3-r2-s2
- canonical/juniper ex4300-24t
- version/juniper junos/19.4-r1
- version/juniper junos/19.4-r1-s1
- canonical/juniper nfx series