CVE-2023-22409: Junos OS: SRX Series, MX Series with SPC3: When an inconsistent NAT configuration exists and a specific CLI command is issued the SPC will reboot

First published: Thu Jan 12 2023(Updated: )

An Unchecked Input for Loop Condition vulnerability in a NAT library of Juniper Networks Junos OS allows a local authenticated attacker with low privileges to cause a Denial of Service (DoS). When an inconsistent "deterministic NAT" configuration is present on an SRX, or MX with SPC3 and then a specific CLI command is issued the SPC will crash and restart. Repeated execution of this command will lead to a sustained DoS. Such a configuration is characterized by the total number of port blocks being greater than the total number of hosts. An example for such configuration is: [ services nat source pool TEST-POOL address x.x.x.0/32 to x.x.x.15/32 ] [ services nat source pool TEST-POOL port deterministic block-size 1008 ] [ services nat source pool TEST-POOL port deterministic host address y.y.y.0/24] [ services nat source pool TEST-POOL port deterministic include-boundary-addresses] where according to the following calculation: 65536-1024=64512 (number of usable ports per IP address, implicit) 64512/1008=64 (number of port blocks per Nat IP) x.x.x.0/32 to x.x.x.15/32 = 16 (NAT IP addresses available in NAT pool) total port blocks in NAT Pool = 64 blocks per IP * 16 IPs = 1024 Port blocks host address y.y.y.0/24 = 256 hosts (with include-boundary-addresses) If the port block size is configured to be 4032, then the total port blocks are (64512/4032) * 16 = 256 which is equivalent to the total host addresses of 256, and the issue will not be seen. This issue affects Juniper Networks Junos OS on SRX Series, and MX Series with SPC3: All versions prior to 19.4R3-S10; 20.1 version 20.1R1 and later versions; 20.2 versions prior to 20.2R3-S6; 20.3 versions prior to 20.3R3-S6; 20.4 versions prior to 20.4R3-S5; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S3; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S1; 22.1 versions prior to 22.1R2-S2, 22.1R3; 22.2 versions prior to 22.2R2.

Credit: sirt@juniper.net

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/references
• agent/severity
• agent/last-modified-date
• agent/weakness
• agent/author
• agent/tags
• agent/description
• agent/title
• agent/remedy
• agent/event
• agent/first-publish-date
• vendor/juniper
• canonical/juniper junos
• version/juniper junos/19.4
• version/juniper junos/19.4-r1
• version/juniper junos/19.4-r1-s1
• version/juniper junos/19.4-r1-s2
• version/juniper junos/19.4-r1-s3
• version/juniper junos/19.4-r1-s4
• version/juniper junos/19.4-r2
• version/juniper junos/19.4-r2-s1
• version/juniper junos/19.4-r2-s2
• version/juniper junos/19.4-r2-s3
• version/juniper junos/19.4-r2-s4
• version/juniper junos/19.4-r2-s5
• version/juniper junos/19.4-r2-s6
• version/juniper junos/19.4-r2-s7
• version/juniper junos/19.4-r3
• version/juniper junos/19.4-r3-s1
• version/juniper junos/19.4-r3-s2
• version/juniper junos/19.4-r3-s3
• version/juniper junos/19.4-r3-s4
• version/juniper junos/19.4-r3-s5
• version/juniper junos/19.4-r3-s6
• version/juniper junos/19.4-r3-s7
• version/juniper junos/19.4-r3-s8
• version/juniper junos/19.4-r3-s9
• version/juniper junos/20.1-r1
• version/juniper junos/20.1-r1-s1
• version/juniper junos/20.1-r1-s2
• version/juniper junos/20.1-r1-s3
• version/juniper junos/20.1-r1-s4
• version/juniper junos/20.1-r2
• version/juniper junos/20.1-r2-s1
• version/juniper junos/20.1-r2-s2
• version/juniper junos/20.1-r3
• version/juniper junos/20.1-r3-s1
• version/juniper junos/20.1-r3-s2
• version/juniper junos/20.1-r3-s3
• version/juniper junos/20.1-r3-s4
• version/juniper junos/20.2
• version/juniper junos/20.2-r1
• version/juniper junos/20.2-r1-s1
• version/juniper junos/20.2-r1-s2
• version/juniper junos/20.2-r1-s3
• version/juniper junos/20.2-r2
• version/juniper junos/20.2-r2-s1
• version/juniper junos/20.2-r2-s2
• version/juniper junos/20.2-r2-s3
• version/juniper junos/20.2-r3
• version/juniper junos/20.2-r3-s1
• version/juniper junos/20.2-r3-s2
• version/juniper junos/20.2-r3-s3
• version/juniper junos/20.2-r3-s4
• version/juniper junos/20.2-r3-s5
• version/juniper junos/20.3
• version/juniper junos/20.3-r1
• version/juniper junos/20.3-r1-s1
• version/juniper junos/20.3-r1-s2
• version/juniper junos/20.3-r2
• version/juniper junos/20.3-r2-s1
• version/juniper junos/20.3-r3
• version/juniper junos/20.3-r3-s1
• version/juniper junos/20.3-r3-s2
• version/juniper junos/20.3-r3-s3
• version/juniper junos/20.3-r3-s4
• version/juniper junos/20.3-r3-s5
• version/juniper junos/20.4
• version/juniper junos/20.4-r1
• version/juniper junos/20.4-r1-s1
• version/juniper junos/20.4-r2
• version/juniper junos/20.4-r2-s1
• version/juniper junos/20.4-r2-s2
• version/juniper junos/20.4-r3
• version/juniper junos/20.4-r3-s1
• version/juniper junos/20.4-r3-s2
• version/juniper junos/20.4-r3-s3
• version/juniper junos/20.4-r3-s4
• version/juniper junos/21.1
• version/juniper junos/21.1-r1
• version/juniper junos/21.1-r1-s1
• version/juniper junos/21.1-r2
• version/juniper junos/21.1-r2-s1
• version/juniper junos/21.1-r2-s2
• version/juniper junos/21.1-r3
• version/juniper junos/21.1-r3-s1
• version/juniper junos/21.1-r3-s2
• version/juniper junos/21.1-r3-s3
• version/juniper junos/21.2
• version/juniper junos/21.2-r1
• version/juniper junos/21.2-r1-s1
• version/juniper junos/21.2-r1-s2
• version/juniper junos/21.2-r2
• version/juniper junos/21.2-r2-s1
• version/juniper junos/21.2-r2-s2
• version/juniper junos/21.2-r3
• version/juniper junos/21.2-r3-s1
• version/juniper junos/21.2-r3-s2
• version/juniper junos/21.3
• version/juniper junos/21.3-r1
• version/juniper junos/21.3-r1-s1
• version/juniper junos/21.3-r1-s2
• version/juniper junos/21.3-r2
• version/juniper junos/21.3-r2-s1
• version/juniper junos/21.3-r2-s2
• version/juniper junos/21.3-r3
• version/juniper junos/21.3-r3-s1
• version/juniper junos/21.3-r3-s2
• version/juniper junos/21.4
• version/juniper junos/21.4-r1
• version/juniper junos/21.4-r1-s1
• version/juniper junos/21.4-r1-s2
• version/juniper junos/21.4-r2
• version/juniper junos/21.4-r2-s1
• version/juniper junos/21.4-r2-s2
• version/juniper junos/21.4-r3
• version/juniper junos/22.1-r1
• version/juniper junos/22.1-r1-s1
• version/juniper junos/22.1-r1-s2
• version/juniper junos/22.1-r2
• version/juniper junos/22.1-r2-s1
• version/juniper junos/22.2-r1
• version/juniper junos/22.2-r1-s1
• version/juniper junos/22.2-r1-s2
• canonical/juniper mx10
• canonical/juniper mx10000
• canonical/juniper mx10003
• canonical/juniper mx10008
• canonical/juniper mx10016
• canonical/juniper mx104
• canonical/juniper mx150
• canonical/juniper mx2008
• canonical/juniper mx2010
• canonical/juniper mx2020
• canonical/juniper mx204
• canonical/juniper mx240
• canonical/juniper mx40
• canonical/juniper mx480
• canonical/juniper mx5
• canonical/juniper mx80
• canonical/juniper mx960
• canonical/juniper srx100
• canonical/juniper srx110
• canonical/juniper srx1400
• canonical/juniper srx1500
• canonical/juniper srx210
• canonical/juniper srx220
• canonical/juniper srx240
• canonical/juniper srx240h2
• canonical/juniper srx240m
• canonical/juniper srx300
• canonical/juniper srx320
• canonical/juniper srx340
• canonical/juniper srx3400
• canonical/juniper srx345
• canonical/juniper srx3600
• canonical/juniper srx380
• canonical/juniper srx4000
• canonical/juniper srx4100
• canonical/juniper srx4200
• canonical/juniper srx4600
• canonical/juniper srx5000
• canonical/juniper srx5400
• canonical/juniper srx550
• canonical/juniper srx550 hm
• canonical/juniper srx550m
• canonical/juniper srx5600
• canonical/juniper srx5800
• canonical/juniper srx650