^{CVE-2021-0254:}Buffer Size Validation Vulnerability in Juniper Networks Junos OS Overlayd Service

Overview

This vulnerability (CVE-2021-0254) affects the overlayd service in Juniper Networks Junos OS. The overlayd daemon processes Overlay OAM packets such as ping and traceroute sent to the overlay network. Due to improper buffer size validation, an attacker can send specially crafted packets to trigger a buffer overflow, potentially resulting in remote code execution or a partial denial of service condition. The service runs with root privileges by default and listens on UDP port 4789.

The vulnerability affects MX Series, ACX Series, and QFX Series platforms by default, as well as other platforms where Virtual Extensible LAN (VXLAN) overlay networks are configured. SRX Series devices do not support VXLAN and are therefore not vulnerable to this issue.

Remediation

To address this vulnerability, users should upgrade to a fixed version of Juniper Networks Junos OS:

• For 15.1: Upgrade to 15.1R7-S9 or later
• For 17.3: Upgrade to 17.3R3-S11 or later
• For 17.4: Upgrade to 17.4R2-S13, 17.4R3-S4, or later
• For 18.1: Upgrade to 18.1R3-S12 or later
• For 18.2: Upgrade to 18.2R2-S8, 18.2R3-S7, or later
• For 18.3: Upgrade to 18.3R3-S4 or later
• For 18.4: Upgrade to 18.4R1-S8, 18.4R2-S7, 18.4R3-S7, or later
• For 19.1: Upgrade to 19.1R2-S2, 19.1R3-S4, or later
• For 19.2: Upgrade to 19.2R1-S6, 19.2R3-S2, or later
• For 19.3: Upgrade to 19.3R3-S1 or later
• For 19.4: Upgrade to 19.4R2-S4, 19.4R3-S1, or later
• For 20.1: Upgrade to 20.1R2-S1, 20.1R3, or later
• For 20.2: Upgrade to 20.2R2, 20.2R2-S1, 20.2R3, or later
• For 20.3: Upgrade to 20.3R1-S1 or later

If upgrading is not immediately possible, consider implementing network security controls to restrict access to UDP port 4789 to trusted sources only.

References

1. Juniper Networks Security Advisory JSA11147: https://kb.juniper.net/JSA11147
2. Common Weakness Enumeration: CWE-787 (Out-of-bounds Write)