CVE-2025-30651

CVE-2025-30651: Junos OS and Junos OS Evolved rpd Denial of Service

Vulnerability Description: A Buffer Access with Incorrect Length Value vulnerability exists in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. This allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). Sending a specific ICMPv6 packet to an interface with “protocols router-advertisement” configured will crash and restart rpd. Repeated receipt of the packet results in a sustained DoS condition. The issue affects systems configured with IPv6.

Severity: High (CVSS v3.1 Score: 8.7)

Known Exploit: Attackers can exploit this vulnerability by sending crafted ICMPv6 packets to trigger a crash and restart of the rpd process, leading to a sustained DoS.

Remediation / Mitigation Strategy:

  1. Upgrade Junos OS / Junos OS Evolved: The primary remediation is to upgrade to a fixed version of Junos OS or Junos OS Evolved. The following versions contain the fix:

    • Junos OS:
      • 21.2R3-S9 or later
      • 21.4R3-S10 or later
      • 22.2R3-S6 or later
      • 22.4R3-S4 or later
      • 23.2R2-S2 or later
      • 23.4R2 or later
    • Junos OS Evolved:
      • 21.2R3-S9-EVO or later
      • 21.4R3-S10-EVO or later
      • 22.2R3-S6-EVO or later
      • 22.4R3-S4-EVO or later
      • 23.2R2-S2-EVO or later
      • 23.4R2-EVO or later

  2. Disable IPv6 (Workaround): If upgrading is not immediately feasible, a temporary workaround is to disable IPv6 on interfaces where “protocols router-advertisement” is configured. Warning: Disabling IPv6 can impact network functionality that relies on IPv6. Perform thorough testing before implementing this workaround in a production environment.

    • Remove family inet6 configuration from affected interfaces.
    • Disable IPv6 Router Advertisements if not required. delete protocols router-advertisement interface

  3. Implement Access Control Lists (ACLs) / Firewall Filters: Implement access control lists (ACLs) or firewall filters to rate-limit or block ICMPv6 traffic to affected interfaces. This mitigation should be carefully configured to avoid legitimate ICMPv6 traffic. Ensure the implemented filters do not negatively impact legitimate network operation.

    • Example (Consider this a basic example and adjust based on your environment): set firewall family inet6 filter protect-rpd term block-icmpv6 from protocol icmpv6 set firewall family inet6 filter protect-rpd term block-icmpv6 then discard set firewall family inet6 filter protect-rpd term accept-all from any set firewall family inet6 filter protect-rpd term accept-all then accept set interfaces family inet6 filter input protect-rpd

  4. Monitor Network Traffic: Closely monitor network traffic for unusual ICMPv6 activity. Implement alerting mechanisms to detect potential exploitation attempts.

  5. Security Hardening: Review and harden the overall security configuration of the Junos OS/Evolved devices, including access controls, logging, and monitoring.

Testing:

  • After applying any mitigation, thoroughly test the network’s functionality to ensure the changes did not introduce any unforeseen issues. Testing should be done in a non-production environment whenever possible.
  • If possible, attempt to reproduce the vulnerability in a lab environment to verify the effectiveness of the mitigation strategy.

Note: The best long-term solution is to upgrade to a fixed version of Junos OS/Evolved. Workarounds should be considered temporary measures until an upgrade can be performed. Always refer to Juniper Networks’ official security advisories and documentation for the most up-to-date information and recommended practices.

Assigner

Date

  • Published Date: 2025-04-09 20:15:29
  • Updated Date: 2025-04-09 20:15:29

More Details

CVE-2025-30651