CVE-2022-22157 Overview
A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways allows an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources when the no-syn-check configuration is enabled on the device. The vulnerability stems from JDPI incorrectly classifying out-of-state asymmetric TCP flows as the dynamic-application INCONCLUSIVE instead of UNKNOWN, resulting in more permissive firewall behavior that allows traffic to be forwarded when it should have been denied.
Critical Impact
Attackers can bypass firewall security controls and Deep Packet Inspection rules to gain unauthorized access to protected network resources without authentication.
Affected Products
- Juniper Networks Junos OS on SRX Series 18.4 versions prior to 18.4R2-S9, 18.4R3-S9
- Juniper Networks Junos OS on SRX Series 19.1 versions prior to 19.1R2-S3, 19.1R3-S6
- Juniper Networks Junos OS on SRX Series 19.2 versions prior to 19.2R1-S7, 19.2R3-S3
- Juniper Networks Junos OS on SRX Series 19.3 versions prior to 19.3R2-S6, 19.3R3-S2
- Juniper Networks Junos OS on SRX Series 19.4 versions prior to 19.4R2-S5, 19.4R3-S3
- Juniper Networks Junos OS on SRX Series 20.1 versions prior to 20.1R2-S2, 20.1R3
- Juniper Networks Junos OS on SRX Series 20.2 versions prior to 20.2R3-S1
- Juniper Networks Junos OS on SRX Series 20.3 versions prior to 20.3R3
- Juniper Networks Junos OS on SRX Series 20.4 versions prior to 20.4R2-S1, 20.4R3
- Juniper Networks Junos OS on SRX Series 21.1 versions prior to 21.1R1-S1, 21.1R2
Discovery Timeline
- January 19, 2022 - CVE-2022-22157 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-22157
Vulnerability Analysis
This vulnerability affects the traffic classification engine within Juniper Deep Packet Inspection (JDPI) on SRX Series Services Gateways. The core issue lies in how JDPI handles out-of-state asymmetric TCP flows when the no-syn-check option is configured. Under normal operation, when a TCP session cannot be properly identified, JDPI should classify it as UNKNOWN, which triggers the most restrictive default policy handling. However, due to this flaw, such flows are instead classified as INCONCLUSIVE, a less restrictive classification that allows traffic to pass through security policies it should have been blocked by.
The vulnerability specifically manifests in environments where administrators have enabled the set security flow tcp-session no-syn-check configuration. This setting is commonly used in asymmetric routing environments or during network transitions where the firewall may not see both directions of a TCP conversation. The flaw enables network-based attackers to craft traffic that exploits this misclassification to bypass application-layer firewall rules without requiring any authentication or user interaction.
Root Cause
The root cause is an Improper Authorization (CWE-863) flaw in the JDPI classification logic. When processing TCP flows that arrive without proper session state (asymmetric flows), the classification engine incorrectly returns the INCONCLUSIVE result instead of the more secure UNKNOWN classification. This logical error in the flow classification state machine results in security policy enforcement being applied incorrectly, allowing traffic that should be blocked by JDPI rules to pass through the firewall.
Attack Vector
The attack vector is network-based and does not require authentication or user interaction. An attacker positioned on the network can exploit this vulnerability by sending crafted TCP traffic designed to trigger the asymmetric flow handling path in JDPI. The attack works as follows:
- The attacker identifies a target SRX Series device with no-syn-check enabled
- Crafted TCP packets are sent that appear as out-of-state or asymmetric flows
- JDPI misclassifies these flows as INCONCLUSIVE rather than UNKNOWN
- Security policies that rely on proper application identification are bypassed
- The attacker gains access to network resources that should have been protected
This vulnerability is particularly concerning because it can be exploited to bypass Deep Packet Inspection rules entirely, potentially allowing access to sensitive internal networks, unauthorized application access, or exfiltration of data through what should be blocked channels. The scope is changed from the vulnerable component, meaning successful exploitation can impact resources beyond the SRX firewall itself.
Detection Methods for CVE-2022-22157
Indicators of Compromise
- Unexpected traffic flows to protected network segments from external sources
- Increased volume of TCP connections classified as INCONCLUSIVE in JDPI logs
- Firewall policy violations where blocked applications appear to traverse the firewall
- Anomalous application identification patterns in security logs showing misclassified traffic
Detection Strategies
- Review JDPI application identification logs for unusual spikes in INCONCLUSIVE classifications
- Monitor for TCP traffic patterns that suggest asymmetric flow manipulation attempts
- Implement network anomaly detection to identify unauthorized access to protected resources
- Audit firewall session tables for connections that bypassed expected security policies
Monitoring Recommendations
- Enable detailed logging for JDPI application identification events on affected SRX devices
- Configure alerts for policy bypass attempts and unexpected traffic classifications
- Regularly review firewall logs for connections from untrusted sources reaching protected zones
- Deploy network flow monitoring to detect lateral movement attempts that may indicate exploitation
How to Mitigate CVE-2022-22157
Immediate Actions Required
- Verify if no-syn-check is enabled on affected SRX devices using show configuration security flow
- If no-syn-check is not operationally required, disable it immediately to eliminate the vulnerability
- Upgrade to a patched version of Junos OS as identified in the Juniper Security Advisory JSA11265
- Implement additional network segmentation to limit the impact of potential exploitation
Patch Information
Juniper Networks has released security patches addressing this vulnerability across all affected version branches. Administrators should upgrade to the following minimum versions based on their current deployment:
- 18.4: Upgrade to 18.4R2-S9, 18.4R3-S9 or later
- 19.1: Upgrade to 19.1R2-S3, 19.1R3-S6 or later
- 19.2: Upgrade to 19.2R1-S7, 19.2R3-S3 or later
- 19.3: Upgrade to 19.3R2-S6, 19.3R3-S2 or later
- 19.4: Upgrade to 19.4R2-S5, 19.4R3-S3 or later
- 20.1: Upgrade to 20.1R2-S2, 20.1R3 or later
- 20.2: Upgrade to 20.2R3-S1 or later
- 20.3: Upgrade to 20.3R3 or later
- 20.4: Upgrade to 20.4R2-S1, 20.4R3 or later
- 21.1: Upgrade to 21.1R1-S1, 21.1R2 or later
For detailed patch information and download links, refer to the Juniper Security Advisory JSA11265.
Workarounds
- Disable the no-syn-check configuration if asymmetric routing is not required in your environment
- Implement strict zone-based firewall policies that do not rely solely on JDPI for traffic filtering
- Deploy additional security controls such as network intrusion prevention systems (IPS) upstream
- Use explicit deny rules for sensitive resources that do not depend on dynamic application identification
# Check if no-syn-check is enabled
show configuration security flow | match no-syn-check
# Disable no-syn-check as a workaround (if operationally feasible)
delete security flow tcp-session no-syn-check
commit
# Verify the configuration change
show configuration security flow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
