To be exposed to this issue a configuration utilizing an IPv6 firewall filter with the tcp-reset option like the following needs to be present:
[ firewall family inet6 filter <filter name> term <term name> match payload-protocol ] [ firewall family inet6 filter <filter name> term <term name> then reject tcp-reset ]An Unsupported Feature in the UI vulnerability in Juniper Networks Junos OS on MX Series and EX9200 Series allows an unauthenticated, network-based attacker to cause partial impact to the integrity of the device.
If the \"tcp-reset\" option is added to the \"reject\" action in an IPv6 filter which matches on \"payload-protocol\", packets are permitted instead of rejected. This happens because the payload-protocol match criteria is not supported in the kernel filter causing it to accept all packets without taking any other action. As a fix the payload-protocol match will be treated the same as a \"next-header\" match to avoid this filter bypass.
This issue doesn't affect IPv4 firewall filters.
This issue affects Juniper Networks Junos OS on MX Series and EX9200 Series:
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
"}],"value":"Juniper SIRT is not aware of any malicious exploitation of this vulnerability.\n\n"}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-447","description":"CWE-447 Unimplemented or Unsupported Feature in UI","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","shortName":"juniper","dateUpdated":"2024-01-12T00:55:07.323Z"},"references":[{"tags":["vendor-advisory"],"url":"https://supportportal.juniper.net/JSA75748"},{"tags":["technical-description"],"url":"https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The following software releases have been updated to resolve this specific issue: Junos OS 20.4R3-S7, 21.1R3-S5, 21.2R3-S5, 21.3R3-S4, 21.4R3-S4, 22.1R3-S2, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R1-S2, 22.4R2-S2, 22.4R3, 23.2R1, and all subsequent releases.
"}],"value":"The following software releases have been updated to resolve this specific issue: Junos OS 20.4R3-S7, 21.1R3-S5, 21.2R3-S5, 21.3R3-S4, 21.4R3-S4, 22.1R3-S2, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R1-S2, 22.4R2-S2, 22.4R3, 23.2R1, and all subsequent releases.\n\n"}],"source":{"advisory":"JSA75748","defect":["1689224"],"discovery":"USER"},"timeline":[{"lang":"en","time":"2024-01-10T17:00:00.000Z","value":"Initial Publication"}],"title":"Junos OS: MX Series and EX9200 Series: If the \"tcp-reset\" option used in an IPv6 filter, matched packets are accepted instead of rejected","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"A workarounds is to replace the payload-protocol match with a next-header match like in the following example:
[ firewall family inet6 filter <filter name> term <term name> match next-header] [ firewall family inet6 filter <filter name> term <term name> then reject tcp-reset ]