CVE-2023-28975: Juniper Junos OS USB DoS Vulnerability

CVE-2023-28975 Overview

CVE-2023-28975 is an Unexpected Status Code or Return Value vulnerability in the kernel of Juniper Networks Junos OS that allows an unauthenticated attacker with physical access to the device to cause a Denial of Service (DoS). The vulnerability is classified under CWE-394 (Unexpected Status Code or Return Value) and CWE-754 (Improper Check for Unusual or Exceptional Conditions).

When certain USB devices are connected to a USB port of the routing-engine (RE), the kernel will crash leading to a reboot of the device. The device will continue to crash as long as the USB device is connected, creating a persistent denial of service condition.

Critical Impact
Physical attackers can cause persistent kernel crashes and device reboots by connecting malicious USB devices, resulting in sustained network outages.

Affected Products

Juniper Junos OS all versions prior to 19.4R3-S10
Juniper Junos OS 20.2 versions prior to 20.2R3-S7
Juniper Junos OS 20.3 versions prior to 20.3R3-S6
Juniper Junos OS 20.4 versions prior to 20.4R3-S5
Juniper Junos OS 21.1 versions prior to 21.1R3-S4
Juniper Junos OS 21.2 versions prior to 21.2R3-S4
Juniper Junos OS 21.3 versions prior to 21.3R3-S3
Juniper Junos OS 21.4 versions prior to 21.4R3-S2
Juniper Junos OS 22.1 versions prior to 22.1R2-S2, 22.1R3
Juniper Junos OS 22.2 versions prior to 22.2R2, 22.2R3
Juniper Junos OS 22.3 versions prior to 22.3R1-S1, 22.3R2
Juniper Junos OS 22.4 versions prior to 22.4R2

Discovery Timeline

April 17, 2023 - CVE-2023-28975 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-28975

Vulnerability Analysis

This vulnerability exists in the Junos OS kernel's USB device handling mechanism. The kernel fails to properly check for and handle unusual or exceptional conditions (CWE-754) when certain USB devices are connected to the routing-engine's USB port. Additionally, the kernel does not properly handle unexpected status codes or return values (CWE-394) from USB device initialization routines.

The vulnerability is particularly concerning because it requires no authentication—only physical access to the device. Once a malicious USB device is connected, the kernel crashes immediately and the device reboots. The persistent nature of this vulnerability means the device will continue to crash in a reboot loop as long as the offending USB device remains connected.

Root Cause

The root cause stems from improper exception handling in the Junos OS kernel's USB subsystem. When processing USB device initialization or enumeration, the kernel encounters unexpected status codes or return values that it fails to handle gracefully. Instead of rejecting the malformed input or entering a safe state, the kernel panics and crashes.

The vulnerability indicates insufficient input validation and error handling in the kernel's USB driver code, where the software assumes that USB device responses will always conform to expected patterns.

Attack Vector

The attack requires physical access to the target Juniper device. An attacker must be able to connect a USB device to an available USB port on the routing-engine. The attack sequence involves:

The attacker gains physical access to a Juniper device running a vulnerable version of Junos OS
The attacker connects a specially crafted or specific type of USB device to the RE's USB port
The kernel attempts to enumerate or initialize the USB device
The USB subsystem encounters an unexpected condition or return value
The kernel crashes and the device reboots
Upon reboot, if the USB device is still connected, the crash cycle repeats

This creates a persistent denial of service that can only be resolved by physically removing the malicious USB device.

Detection Methods for CVE-2023-28975

Indicators of Compromise

Unexpected and repeated device reboots with no apparent network-related cause
System logs showing kernel panic or crash events associated with USB subsystem
Physical evidence of unauthorized USB devices connected to routing-engine ports
Correlation between device instability and recent physical access to equipment

Detection Strategies

Monitor system logs for kernel panic messages or unexpected reboot events
Implement physical access logging and surveillance around network equipment
Review console logs for USB enumeration errors or driver crashes prior to reboots
Establish baseline device uptime patterns to identify anomalous reboot behavior

Monitoring Recommendations

Enable and centralize syslog collection from all Juniper devices to detect crash patterns
Implement alerting on repeated device reboots within short time windows
Configure SNMP traps for device reload events to provide early warning
Monitor physical access control systems for unauthorized entries to data centers or wiring closets

How to Mitigate CVE-2023-28975

Immediate Actions Required

Restrict physical access to Juniper devices to authorized personnel only
Audit all connected USB devices on affected routing-engines and remove any unauthorized devices
Implement port locks or physical blockers on unused USB ports where feasible
Upgrade to a patched version of Junos OS as soon as possible

Patch Information

Juniper Networks has released patches addressing this vulnerability. Organizations should upgrade to the following fixed versions based on their current release train:

19.4R3-S10 or later for 19.4 release
20.2R3-S7 or later for 20.2 release
20.3R3-S6 or later for 20.3 release
20.4R3-S5 or later for 20.4 release
21.1R3-S4 or later for 21.1 release
21.2R3-S4 or later for 21.2 release
21.3R3-S3 or later for 21.3 release
21.4R3-S2 or later for 21.4 release
22.1R2-S2, 22.1R3 or later for 22.1 release
22.2R2, 22.2R3 or later for 22.2 release
22.3R1-S1, 22.3R2 or later for 22.3 release
22.4R2 or later for 22.4 release

For detailed patch information, refer to the Juniper Security Advisory JSA70600.

Workarounds

Physically secure all USB ports on routing-engines using port blockers or tamper-evident seals
Implement strict physical access controls to data centers and equipment rooms housing Juniper devices
Consider disabling USB ports at the BIOS/firmware level if supported and not required for operations
Establish incident response procedures for rapid USB device removal if persistent reboots are detected

bash

# Verify current Junos OS version to assess vulnerability status
show version

# Review system logs for crash events
show log messages | match "kernel|panic|reboot"

# Check for connected USB devices (if command available)
show system usb

CVE-2023-28975 Overview

Critical Impact
Physical attackers can cause persistent kernel crashes and device reboots by connecting malicious USB devices, resulting in sustained network outages.

Affected Products

Juniper Junos OS all versions prior to 19.4R3-S10
Juniper Junos OS 20.2 versions prior to 20.2R3-S7
Juniper Junos OS 20.3 versions prior to 20.3R3-S6
Juniper Junos OS 20.4 versions prior to 20.4R3-S5
Juniper Junos OS 21.1 versions prior to 21.1R3-S4
Juniper Junos OS 21.2 versions prior to 21.2R3-S4
Juniper Junos OS 21.3 versions prior to 21.3R3-S3
Juniper Junos OS 21.4 versions prior to 21.4R3-S2
Juniper Junos OS 22.1 versions prior to 22.1R2-S2, 22.1R3
Juniper Junos OS 22.2 versions prior to 22.2R2, 22.2R3
Juniper Junos OS 22.3 versions prior to 22.3R1-S1, 22.3R2
Juniper Junos OS 22.4 versions prior to 22.4R2

Discovery Timeline

April 17, 2023 - CVE-2023-28975 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-28975

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires physical access to the target Juniper device. An attacker must be able to connect a USB device to an available USB port on the routing-engine. The attack sequence involves:

The attacker gains physical access to a Juniper device running a vulnerable version of Junos OS
The attacker connects a specially crafted or specific type of USB device to the RE's USB port
The kernel attempts to enumerate or initialize the USB device
The USB subsystem encounters an unexpected condition or return value
The kernel crashes and the device reboots
Upon reboot, if the USB device is still connected, the crash cycle repeats

This creates a persistent denial of service that can only be resolved by physically removing the malicious USB device.

Detection Methods for CVE-2023-28975

Indicators of Compromise

Unexpected and repeated device reboots with no apparent network-related cause
System logs showing kernel panic or crash events associated with USB subsystem
Physical evidence of unauthorized USB devices connected to routing-engine ports
Correlation between device instability and recent physical access to equipment

Detection Strategies

Monitor system logs for kernel panic messages or unexpected reboot events
Implement physical access logging and surveillance around network equipment
Review console logs for USB enumeration errors or driver crashes prior to reboots
Establish baseline device uptime patterns to identify anomalous reboot behavior

Monitoring Recommendations

Enable and centralize syslog collection from all Juniper devices to detect crash patterns
Implement alerting on repeated device reboots within short time windows
Configure SNMP traps for device reload events to provide early warning
Monitor physical access control systems for unauthorized entries to data centers or wiring closets

How to Mitigate CVE-2023-28975

Immediate Actions Required

Restrict physical access to Juniper devices to authorized personnel only
Audit all connected USB devices on affected routing-engines and remove any unauthorized devices
Implement port locks or physical blockers on unused USB ports where feasible
Upgrade to a patched version of Junos OS as soon as possible

Patch Information

Juniper Networks has released patches addressing this vulnerability. Organizations should upgrade to the following fixed versions based on their current release train:

19.4R3-S10 or later for 19.4 release
20.2R3-S7 or later for 20.2 release
20.3R3-S6 or later for 20.3 release
20.4R3-S5 or later for 20.4 release
21.1R3-S4 or later for 21.1 release
21.2R3-S4 or later for 21.2 release
21.3R3-S3 or later for 21.3 release
21.4R3-S2 or later for 21.4 release
22.1R2-S2, 22.1R3 or later for 22.1 release
22.2R2, 22.2R3 or later for 22.2 release
22.3R1-S1, 22.3R2 or later for 22.3 release
22.4R2 or later for 22.4 release

For detailed patch information, refer to the Juniper Security Advisory JSA70600.

Workarounds

Physically secure all USB ports on routing-engines using port blockers or tamper-evident seals
Implement strict physical access controls to data centers and equipment rooms housing Juniper devices
Consider disabling USB ports at the BIOS/firmware level if supported and not required for operations
Establish incident response procedures for rapid USB device removal if persistent reboots are detected

bash

# Verify current Junos OS version to assess vulnerability status
show version

# Review system logs for crash events
show log messages | match "kernel|panic|reboot"

# Check for connected USB devices (if command available)
show system usb

CVE-2023-28975: Juniper Junos OS USB DoS Vulnerability

CVE-2023-28975 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-28975

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-28975

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-28975

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-28975: Juniper Junos OS USB DoS Vulnerability

CVE-2023-28975 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-28975

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-28975

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-28975

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform