Design/Logic Flaw

An Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in the management daemon (mgd) process of Juniper Networks Junos OS and Junos OS Evolved allows a network-based authenticated low-privileged attacker, by executing a specific command via NETCONF, to cause a CPU Denial of Service to the device’s control plane.

This issue affects:

Juniper Networks Junos OS

• All versions prior to 20.4R3-S7;
• 21.2 versions prior to 21.2R3-S5;
• 21.3 versions prior to 21.3R3-S5;
• 21.4 versions prior to 21.4R3-S4;
• 22.1 versions prior to 22.1R3-S2;
• 22.2 versions prior to 22.2R3;
• 22.3 versions prior to 22.3R2-S1, 22.3R3;
• 22.4 versions prior to 22.4R1-S2, 22.4R2.

Juniper Networks Junos OS Evolved

• All versions prior to 21.4R3-S4-EVO;
• 22.1 versions prior to 22.1R3-S2-EVO;
• 22.2 versions prior to 22.2R3-EVO;
• 22.3 versions prior to 22.3R3-EVO;
• 22.4 versions prior to 22.4R2-EVO.

An indicator of compromise can be seen by first determining if the NETCONF client is logged in and fails to log out after a reasonable period of time and secondly reviewing the WCPU percentage for the mgd process by running the following command:

mgd process example:

user@device-re#> show system processes extensive | match “mgd|PID” | except last
PID USERNAME PRI NICE SIZE RES STATE C TIME WCPU COMMAND
92476 root 100 0 500M 89024K CPU3 3 57.5H 89.60% mgd <<<<<<<<<<< review the high cpu percentage.
Example to check for NETCONF activity:

While there is no specific command that shows a specific session in use for NETCONF, you can review logs for UI_LOG_EVENT with “client-mode ‘netconf’”

For example:

mgd[38121]: UI_LOGIN_EVENT: User ‘root’ login, class ‘super-user’ [38121], ssh-connection ‘10.1.1.1 201 55480 10.1.1.2 22’, client-mode ‘netconf’