CVE-2022-22153 Overview
CVE-2022-22153 is a denial of service vulnerability affecting Juniper Networks Junos OS running on SRX Series and MX Series devices with SPC3 (Services Processing Card 3). The vulnerability exists in the flow processing daemon (flowd) and combines two distinct weakness patterns: Insufficient Algorithmic Complexity (CWE-407) and Allocation of Resources Without Limits or Throttling. An unauthenticated network attacker can exploit this vulnerability to cause significant latency in transit packet processing and even complete packet loss.
The vulnerability is triggered when transit traffic contains a significant percentage (greater than 5%) of fragmented packets requiring reassembly. Under these conditions, the flowd process fails to efficiently handle the computational overhead of fragment reassembly, leading to resource exhaustion and service degradation.
Critical Impact
Unauthenticated attackers can cause network service disruption through packet processing latency and packet loss on critical network infrastructure devices without requiring any privileges or user interaction.
Affected Products
- Juniper Networks Junos OS - All versions prior to 18.2R3
- Juniper Networks Junos OS 18.3 - versions prior to 18.3R3
- Juniper Networks Junos OS 18.4 - versions prior to 18.4R2-S9, 18.4R3
- Juniper Networks Junos OS 19.1 - versions prior to 19.1R2
- Juniper Networks Junos OS 19.2 - versions prior to 19.2R1-S1, 19.2R2
- Juniper SRX Series (SRX100, SRX110, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340, SRX345, SRX380, SRX550, SRX650, SRX1400, SRX1500, SRX3400, SRX3600, SRX4000, SRX4100, SRX4200, SRX4600, SRX5000, SRX5400, SRX5600, SRX5800)
- Juniper MX Series with SPC3 (MX5, MX10, MX40, MX80, MX104, MX150, MX204, MX240, MX480, MX960, MX2008, MX2010, MX2020, MX10000, MX10003, MX10008, MX10016)
Discovery Timeline
- January 19, 2022 - CVE-2022-22153 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-22153
Vulnerability Analysis
This vulnerability targets the flow processing daemon (flowd), a critical component responsible for stateful packet inspection and traffic flow management on Juniper SRX and MX Series devices. The flowd process handles packet reassembly for fragmented IP traffic, and the vulnerability lies in the algorithmic inefficiency of this reassembly process combined with a lack of resource throttling mechanisms.
When an attacker sends traffic containing a high percentage of fragmented packets (exceeding 5% of total traffic), the flowd daemon consumes excessive CPU and memory resources attempting to reassemble these fragments. The absence of rate limiting or resource allocation caps allows this condition to persist, degrading the device's ability to process legitimate transit traffic.
This vulnerability can be exploited remotely over the network without requiring authentication, making it particularly dangerous for internet-facing firewall and router deployments. The impact is limited to availability—there is no confidentiality or integrity breach—but the potential for network outage on critical infrastructure makes this a significant concern.
Root Cause
The root cause is a combination of two weakness patterns:
Insufficient Algorithmic Complexity (CWE-407): The fragment reassembly algorithm in flowd does not scale efficiently when handling a high volume of fragmented packets. The computational complexity increases disproportionately as the percentage of fragmented traffic grows.
Allocation of Resources Without Limits or Throttling: The flowd daemon lacks proper safeguards to limit the resources (CPU, memory, processing queues) dedicated to fragment reassembly operations. This allows an attacker to exhaust system resources by maintaining a sustained flow of fragmented traffic.
Attack Vector
The attack can be executed by any unauthenticated network attacker capable of sending traffic through an affected Juniper device. The attacker crafts network traffic where more than 5% consists of fragmented IP packets requiring reassembly by the flowd process.
The attack does not require valid credentials, special privileges, or user interaction. Traffic simply needs to transit through the affected device's flow processing path. This makes the vulnerability exploitable in common deployment scenarios where SRX firewalls or MX routers process untrusted network traffic.
The exploitation mechanism involves sending sustained fragmented traffic to overload the reassembly process, causing legitimate traffic to experience latency or be dropped entirely.
Detection Methods for CVE-2022-22153
Indicators of Compromise
- Unusually high CPU utilization on the flowd process or Packet Forwarding Engine (PFE)
- Increased memory consumption on affected SRX or MX devices during periods of fragmented traffic
- Network latency spikes or intermittent connectivity issues reported by users
- Elevated fragment reassembly queue depths visible in device statistics
Detection Strategies
- Monitor flowd process resource utilization using Junos OS CLI commands such as show chassis routing-engine and show system processes extensive
- Implement network flow analysis to detect abnormal ratios of fragmented packets in transit traffic
- Configure SNMP monitoring for CPU and memory thresholds on affected devices to generate alerts
- Review firewall session tables for signs of fragment-related session buildup
Monitoring Recommendations
- Enable logging and alerting for flowd process restarts or high resource utilization events
- Deploy network traffic analysis tools to baseline normal fragmentation rates and alert on deviations exceeding 5%
- Configure SentinelOne Singularity for network visibility to detect anomalous traffic patterns targeting network infrastructure
- Establish baseline metrics for packet processing latency to identify degradation indicative of exploitation attempts
How to Mitigate CVE-2022-22153
Immediate Actions Required
- Identify all Juniper SRX Series and MX Series with SPC3 devices in your environment running vulnerable Junos OS versions
- Review the Juniper Security Advisory JSA11261 for detailed patch information and affected version specifics
- Prioritize patching for internet-facing devices and those processing untrusted traffic
- Implement network monitoring to detect unusual fragmented traffic patterns as an interim measure
Patch Information
Juniper Networks has released patches addressing this vulnerability. Affected organizations should upgrade to the following fixed versions:
- Junos OS 18.2R3 or later for the 18.2 release train
- Junos OS 18.3R3 or later for the 18.3 release train
- Junos OS 18.4R2-S9, 18.4R3 or later for the 18.4 release train
- Junos OS 19.1R2 or later for the 19.1 release train
- Junos OS 19.2R1-S1, 19.2R2 or later for the 19.2 release train
Refer to the Juniper Security Advisory JSA11261 for complete patch availability and download links.
Workarounds
- Implement upstream filtering to limit or block fragmented traffic at network perimeter devices before it reaches vulnerable Juniper appliances
- Configure screen options on SRX devices to limit fragment reassembly processing where operationally feasible
- Deploy rate limiting for fragmented packets at network ingress points to reduce exposure
- Consider deploying additional network infrastructure to distribute fragment processing load across multiple devices
# Example: Verify current Junos OS version
show version
# Example: Monitor flowd process utilization
show system processes extensive | match flowd
# Example: Check fragment statistics
show security flow statistics
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
