CVE-2022-22159 Overview
A vulnerability in the NETISR network queue functionality of Juniper Networks Junos OS kernel allows an attacker to cause a Denial of Service (DoS) by sending crafted genuine packets to a device. During an attack, the routing protocol daemon (rpd) CPU may reach 100% utilization, yet FPC CPUs forwarding traffic will operate normally. This attack occurs when the attackers' packets are sent over an IPv4 unicast routing equal-cost multi-path (ECMP) unilist selection.
Critical Impact
Network attackers can remotely exhaust routing protocol daemon CPU resources causing sustained Denial of Service conditions affecting network routing operations while forwarding plane continues to function normally.
Affected Products
- Juniper Junos OS 17.3 version 17.3R3-S9 and later versions prior to 17.3R3-S12
- Juniper Junos OS 17.4 version 17.4R3-S3 and later versions prior to 17.4R3-S5
- Juniper Junos OS 18.1 version 18.1R3-S11 and later versions prior to 18.1R3-S13
- Juniper Junos OS 18.2 version 18.2R3-S6 and later versions
- Juniper Junos OS 18.3 version 18.3R3-S4 and later versions prior to 18.3R3-S5
- Juniper Junos OS 18.4 version 18.4R3-S5 and later versions prior to 18.4R3-S9
- Juniper Junos OS 19.1 version 19.1R3-S3 and later versions prior to 19.1R3-S7
Discovery Timeline
- 2022-01-19 - CVE CVE-2022-22159 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-22159
Vulnerability Analysis
This vulnerability targets the NETISR (Network Interrupt Service Routine) network queue functionality within the Juniper Junos OS kernel. NETISR is responsible for handling network protocol processing in a deferred context, managing the queue of packets that need to be processed by upper-layer protocols.
The flaw manifests specifically when processing IPv4 unicast traffic configured with Equal-Cost Multi-Path (ECMP) routing using unilist selection. When an attacker sends specially crafted but genuine packets through ECMP unilist paths, the routing protocol daemon (rpd) becomes overwhelmed, leading to CPU exhaustion.
The attack is particularly insidious because while the control plane (rpd) is degraded, the forwarding plane (FPC CPUs) continues to operate normally. This asymmetric impact means traffic forwarding continues while routing updates and protocol adjacencies suffer, potentially causing subtle but significant network instability.
Root Cause
The root cause lies in the NETISR queue handling logic when processing packets destined for ECMP unilist selection paths. The vulnerability appears to stem from improper resource management within the kernel's network queue processing, where crafted packet sequences can trigger excessive CPU consumption in the routing protocol daemon. The condition creates a resource exhaustion scenario where legitimate routing operations are starved of CPU cycles.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker must be able to send IPv4 unicast traffic to the target device through a path utilizing ECMP unilist selection. The attack involves sending crafted genuine packets that trigger the vulnerable code path in the NETISR queue processing.
The attack methodology involves:
- Identifying Juniper devices running vulnerable Junos OS versions
- Determining if ECMP unilist routing is configured on the target
- Sending crafted IPv4 unicast packets through ECMP paths
- Sustained packet transmission creates persistent DoS condition
- The rpd daemon CPU utilization climbs to 100% while forwarding continues
Since no code examples are available from verified sources, the vulnerability mechanism can be conceptually understood through the advisory documentation. The attack exploits the packet handling logic in the NETISR subsystem, causing the routing daemon to consume excessive CPU resources during packet processing operations.
Detection Methods for CVE-2022-22159
Indicators of Compromise
- Monitor for sustained high CPU utilization on the routing protocol daemon (rpd) while FPC CPUs remain at normal levels
- Check for NETISR drops in the network queue statistics using Junos OS CLI commands
- Look for routing protocol adjacency flaps or convergence issues without corresponding forwarding plane problems
- Review system logs for rpd-related warnings or errors during periods of unexplained routing instability
Detection Strategies
- Implement SNMP monitoring for rpd CPU utilization thresholds exceeding normal operational baselines
- Configure syslog alerts for NETISR queue drop events and routing daemon resource exhaustion
- Deploy network traffic analysis to identify anomalous IPv4 unicast traffic patterns targeting ECMP paths
- Contact Juniper JTAC for technical support on monitoring NETISR drops specific to this vulnerability
Monitoring Recommendations
- Establish baseline metrics for rpd CPU utilization under normal network conditions
- Configure proactive alerting when rpd CPU exceeds defined thresholds while forwarding metrics remain stable
- Implement periodic health checks comparing control plane and data plane operational status
- Enable detailed logging for NETISR subsystem events during investigation periods
How to Mitigate CVE-2022-22159
Immediate Actions Required
- Identify all Juniper devices running affected Junos OS versions in your environment
- Prioritize patching for devices using ECMP unilist selection configurations
- Implement network access controls to limit traffic sources that can reach vulnerable devices
- Establish enhanced monitoring for rpd CPU utilization on vulnerable systems pending upgrade
Patch Information
Juniper Networks has released security patches addressing this vulnerability. Affected customers should upgrade to the following minimum versions or later:
- Junos OS 17.3R3-S12 or later for the 17.3 branch
- Junos OS 17.4R3-S5 or later for the 17.4 branch
- Junos OS 18.1R3-S13 or later for the 18.1 branch
- Junos OS 18.3R3-S5 or later for the 18.3 branch
- Junos OS 18.4R3-S9 or later for the 18.4 branch
- Junos OS 19.1R3-S7 or later for the 19.1 branch
For branch 18.2, customers should consult with Juniper JTAC for appropriate upgrade paths. Refer to the Juniper Security Advisory JSA11267 for complete patch information and upgrade guidance.
Workarounds
- Review and consider modifying ECMP unilist selection configurations where operationally feasible
- Implement infrastructure access control lists to restrict traffic sources reaching management and routing interfaces
- Deploy rate limiting on interfaces where attack traffic may originate to reduce impact severity
- Contact Juniper JTAC for guidance on temporary mitigations specific to your deployment
# Example: Verify current Junos OS version
show version
# Example: Check rpd CPU utilization
show system processes extensive | match rpd
# Example: Monitor NETISR statistics (contact JTAC for specific commands)
show system statistics
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
