CVE-2023-28959: Junos OS: QFX10002: PFE wedges and restarts upon receipt of specific malformed packets

First published: Mon Apr 17 2023(Updated: )

An Improper Check or Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS on QFX10002 allows an unauthenticated, adjacent attacker on the local broadcast domain sending a malformed packet to the device, causing all PFEs other than the inbound PFE to wedge and to eventually restart, resulting in a Denial of Service (DoS) condition. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue can only be triggered by sending a specific malformed packet to the device. Transit traffic does not trigger this issue. An indication of this issue occurring can be seen through the following log messages: fpc0 expr_hostbound_packet_handler: Receive pe 73? fpc0 Cmerror Op Set: PE Chip: PE0[0]: PGQ:misc_intr: 0x00000020: Enqueue of a packet with out-of-range VOQ in 192K-VOQ mode (URI: /fpc/0/pfe/0/cm/0/PE_Chip/0/PECHIP_CMERROR_PGQ_MISC_INT_EVENTS_ENQ_192K_VIOL) The logs list below can also be observed when this issue occurs fpc0 Error: /fpc/0/pfe/0/cm/0/PE_Chip/0/PECHIP_CMERROR_PGQ_MISC_INT_EVENTS_ENQ_192K_VIOL (0x210107), scope: pfe, category: functional, severity: major, module: PE Chip, type: Description for PECHIP_CMERROR_PGQ_MISC_INT_EVENTS_ENQ_192K_VIOL fpc0 Performing action cmalarm for error /fpc/0/pfe/0/cm/0/PE_Chip/0/PECHIP_CMERROR_PGQ_MISC_INT_EVENTS_ENQ_192K_VIOL (0x210107) in module: PE Chip with scope: pfe category: functional level: major fpc0 Error: /fpc/0/pfe/0/cm/0/PE_Chip/0/PECHIP_CMERROR_CM_INT_REG_DCHK_PIPE (0x21011a), scope: pfe, category: functional, severity: fatal, module: PE Chip, type: Description for PECHIP_CMERROR_CM_INT_REG_DCHK_PIPE fpc0 Performing action cmalarm for error /fpc/0/pfe/0/cm/0/PE_Chip/0/PECHIP_CMERROR_CM_INT_REG_DCHK_PIPE (0x21011a) in module: PE Chip with scope: pfe category: functional level: fatal fpc0 Performing action disable-pfe for error /fpc/0/pfe/0/cm/0/PE_Chip/0/PECHIP_CMERROR_CM_INT_REG_DCHK_PIPE (0x21011a) in module: PE Chip with scope: pfe category: functional level: fatal This issue affects Juniper Networks Junos OS on QFX10002: All versions prior to 19.1R3-S10; 19.4 versions prior to 19.4R3-S11; 20.2 versions prior to 20.2R3-S7; 20.4 versions prior to 20.4R3-S6; 21.1 versions prior to 21.1R3-S4; 21.2 versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S2; 22.1 versions prior to 22.1R3-S1; 22.2 versions prior to 22.2R2-S1, 22.2R3; 22.3 versions prior to 22.3R1-S2, 22.3R2.

Credit: sirt@juniper.net

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• collector/mitre-cve
• source/MITRE
• agent/remedy
• agent/references
• agent/severity
• agent/weakness
• agent/title
• agent/last-modified-date
• agent/author
• agent/description
• agent/first-publish-date
• agent/softwarecombine
• agent/tags
• agent/event
• collector/ibm-support
• source/IBM
• agent/software-canonical-lookup
• vendor/juniper
• canonical/juniper junos
• version/juniper junos/19.1
• version/juniper junos/19.1-r1
• version/juniper junos/19.1-r1-s1
• version/juniper junos/19.1-r1-s2
• version/juniper junos/19.1-r1-s3
• version/juniper junos/19.1-r1-s4
• version/juniper junos/19.1-r1-s5
• version/juniper junos/19.1-r1-s6
• version/juniper junos/19.1-r2
• version/juniper junos/19.1-r2-s1
• version/juniper junos/19.1-r2-s2
• version/juniper junos/19.1-r2-s3
• version/juniper junos/19.1-r3
• version/juniper junos/19.1-r3-s1
• version/juniper junos/19.1-r3-s2
• version/juniper junos/19.1-r3-s3
• version/juniper junos/19.1-r3-s4
• version/juniper junos/19.1-r3-s5
• version/juniper junos/19.1-r3-s6
• version/juniper junos/19.1-r3-s7
• version/juniper junos/19.1-r3-s8
• version/juniper junos/19.1-r3-s9
• version/juniper junos/19.4
• version/juniper junos/19.4-r1
• version/juniper junos/19.4-r1-s1
• version/juniper junos/19.4-r1-s2
• version/juniper junos/19.4-r1-s3
• version/juniper junos/19.4-r1-s4
• version/juniper junos/19.4-r2
• version/juniper junos/19.4-r2-s1
• version/juniper junos/19.4-r2-s2
• version/juniper junos/19.4-r2-s3
• version/juniper junos/19.4-r2-s4
• version/juniper junos/19.4-r2-s5
• version/juniper junos/19.4-r2-s6
• version/juniper junos/19.4-r2-s7
• version/juniper junos/19.4-r3
• version/juniper junos/19.4-r3-s1
• version/juniper junos/19.4-r3-s10
• version/juniper junos/20.2
• version/juniper junos/20.2-r1
• version/juniper junos/20.2-r1-s1
• version/juniper junos/20.2-r1-s2
• version/juniper junos/20.2-r1-s3
• version/juniper junos/20.2-r2
• version/juniper junos/20.2-r2-s1
• version/juniper junos/20.2-r2-s2
• version/juniper junos/20.2-r2-s3
• version/juniper junos/20.2-r3
• version/juniper junos/20.2-r3-s1
• version/juniper junos/20.2-r3-s2
• version/juniper junos/20.2-r3-s3
• version/juniper junos/20.2-r3-s4
• version/juniper junos/20.2-r3-s5
• version/juniper junos/20.2-r3-s6
• version/juniper junos/20.4
• version/juniper junos/20.4-r1
• version/juniper junos/20.4-r1-s1
• version/juniper junos/20.4-r2
• version/juniper junos/20.4-r2-s1
• version/juniper junos/20.4-r2-s2
• version/juniper junos/20.4-r3
• version/juniper junos/20.4-r3-s1
• version/juniper junos/20.4-r3-s2
• version/juniper junos/20.4-r3-s3
• version/juniper junos/20.4-r3-s4
• version/juniper junos/20.4-r3-s5
• version/juniper junos/21.1
• version/juniper junos/21.1-r1
• version/juniper junos/21.1-r1-s1
• version/juniper junos/21.1-r2
• version/juniper junos/21.1-r2-s1
• version/juniper junos/21.1-r2-s2
• version/juniper junos/21.1-r3
• version/juniper junos/21.1-r3-s1
• version/juniper junos/21.1-r3-s2
• version/juniper junos/21.1-r3-s3
• version/juniper junos/21.2
• version/juniper junos/21.2-r1
• version/juniper junos/21.2-r1-s1
• version/juniper junos/21.2-r1-s2
• version/juniper junos/21.2-r2
• version/juniper junos/21.2-r2-s1
• version/juniper junos/21.2-r2-s2
• version/juniper junos/21.2-r3
• version/juniper junos/21.2-r3-s1
• version/juniper junos/21.2-r3-s2
• version/juniper junos/21.2-r3-s3
• version/juniper junos/21.3
• version/juniper junos/21.3-r1
• version/juniper junos/21.3-r1-s1
• version/juniper junos/21.3-r1-s2
• version/juniper junos/21.3-r2
• version/juniper junos/21.3-r2-s1
• version/juniper junos/21.3-r2-s2
• version/juniper junos/21.3-r3
• version/juniper junos/21.3-r3-s1
• version/juniper junos/21.3-r3-s2
• version/juniper junos/21.4
• version/juniper junos/21.4-r1
• version/juniper junos/21.4-r1-s1
• version/juniper junos/21.4-r1-s2
• version/juniper junos/21.4-r2
• version/juniper junos/21.4-r2-s1
• version/juniper junos/21.4-r2-s2
• version/juniper junos/21.4-r3
• version/juniper junos/21.4-r3-s1
• version/juniper junos/22.1-r1
• version/juniper junos/22.1-r1-s1
• version/juniper junos/22.1-r1-s2
• version/juniper junos/22.1-r2
• version/juniper junos/22.1-r2-s1
• version/juniper junos/22.1-r2-s2
• version/juniper junos/22.1-r3
• version/juniper junos/22.2-r1
• version/juniper junos/22.2-r1-s1
• version/juniper junos/22.2-r1-s2
• version/juniper junos/22.2-r2
• version/juniper junos/22.3-r1
• version/juniper junos/22.3-r1-s1
• canonical/juniper qfx10002
• vendor/ibm
• canonical/ibm watson knowledge catalog on-prem
• version/ibm watson knowledge catalog on-prem/4.x