CVE-2025-30645

Remediation / Mitigation Strategy for CVE-2025-30645

Vulnerability: NULL Pointer Dereference in flowd process when handling specific, valid control traffic within Dual-Stack (DS) Lite tunnels.

Severity: High (CVSS v3.1 Score: 8.7)

Known Exploit: An attacker sending specific, valid control traffic out of a DS-Lite tunnel can trigger a segmentation fault in the flowd process, causing it to crash and resulting in a Denial of Service (DoS). Continuous triggering of this traffic can create a sustained DoS condition.

Affected Products: Junos OS on SRX Series

• All versions before 21.2R3-S9
• From 21.4 before 21.4R3-S9
• From 22.2 before 22.2R3-S5
• From 22.4 before 22.4R3-S6
• From 23.2 before 23.2R2-S3
• From 23.4 before 23.4R2

Remediation:

1. Upgrade Junos OS: The primary remediation is to upgrade to a Junos OS version that includes the fix for CVE-2025-30645. Upgrade to one of the following versions or later:
   • 21.2R3-S9
   • 21.4R3-S9
   • 22.2R3-S5
   • 22.4R3-S6
   • 23.2R2-S3
   • 23.4R2
2. Follow Juniper’s Recommended Upgrade Procedures: Consult the Juniper Networks documentation for the recommended upgrade process for your specific SRX Series device and Junos OS version. This will help to ensure a smooth and successful upgrade.

Mitigation (If immediate upgrade is not possible):

1. Restrict DS-Lite Tunnel Traffic: Implement Access Control Lists (ACLs) or firewall filters to restrict the source and destination of control traffic associated with DS-Lite tunnels. This will make it harder for a malicious actor to send the specific triggering traffic. Carefully analyze network traffic to identify and block suspicious patterns.
2. Monitor Flowd Process: Implement monitoring for the flowd process on SRX devices. Configure alerts to trigger if the flowd process crashes or restarts unexpectedly. This will allow for quicker detection and response to a potential attack.
3. Rate Limiting: Implement rate limiting on DS-Lite control traffic to limit the number of potentially malicious packets that can be sent to the device. This may reduce the impact of the vulnerability, but it won’t eliminate it.
4. Disable DS-Lite (If Feasible): If DS-Lite is not critical to network operation, consider temporarily disabling it until an upgrade can be performed. Important Considerations:

• Testing: Before deploying any changes to a production environment, thoroughly test them in a non-production environment to ensure that they do not introduce any unintended consequences.
• Backups: Before upgrading, create a backup of the current Junos OS configuration.
• Monitoring: After implementing the fix or mitigation strategies, continuously monitor the SRX devices to ensure that the vulnerability is no longer exploitable and that the network is operating as expected.
• Vendor Communication: Subscribe to security advisories from Juniper Networks to stay informed about the latest vulnerabilities and security recommendations.

Assigner

• Juniper Networks, Inc. [email protected]

Date

• Published Date: 2025-04-09 20:15:28
• Updated Date: 2025-04-09 20:15:28

More Details

CVE-2025-30645