CVE-2025-30658
Vulnerability Remediation/Mitigation Strategy: CVE-2025-30658
Description: Missing Release of Memory after Effective Lifetime in the Anti-Virus processing of Juniper Networks Junos OS on SRX Series devices. Specific HTTP content within a server’s response can cause Juniper Buffers (jbufs) to be queued but never released, leading to exhaustion of jbufs and a Denial-of-Service (DoS) condition.
Severity: High (CVSS v3.1 Score: 8.7)
Known Exploit: An unauthenticated, network-based attacker can send crafted HTTP traffic to trigger the jbuf leak and exhaust device resources, leading to complete disruption of traffic forwarding.
Remediation Strategy:
Immediate Action:
- Identify Affected Devices: Determine all SRX Series devices running Junos OS and confirm if Anti-Virus is enabled.
Apply Software Patch:
- Upgrade Junos OS: Upgrade to a fixed software version as soon as possible. The following versions and later are not affected:
- 21.2R3-S9
- 21.4R3-S10
- 22.2R3-S6
- 22.4R3-S6
- 23.2R2-S3
- 23.4R2-S3
- 24.2R2-S3 (This is the minimum version to be installed. Versions higher than this would also address the vulnerability)
- Testing: Before deploying to production, thoroughly test the upgrade in a lab environment to ensure compatibility and stability.
- Upgrade Junos OS: Upgrade to a fixed software version as soon as possible. The following versions and later are not affected:
Monitoring and Detection:
- Log Monitoring: Implement proactive monitoring for jbuf utilization levels. Specifically, monitor for the following log message:
(
.) Warning: jbuf pool id <#> utilization level ( %) is above %! Configure alerts to trigger when jbuf pool utilization exceeds a predefined threshold (e.g., 80%). - Traffic Analysis: Monitor network traffic for suspicious HTTP patterns that could indicate an attempted exploit.
- Log Monitoring: Implement proactive monitoring for jbuf utilization levels. Specifically, monitor for the following log message:
(
Mitigation (If immediate patching is not possible):
- Disable Anti-Virus: As a temporary workaround, disable the Anti-Virus feature on SRX Series devices. This will eliminate the vulnerability but remove Anti-Virus protection. user@host# set security policies default-policy permit-all user@host# set security alg dns disabled user@host# set security alg ftp disabled user@host# set security alg h323 disabled user@host# set security alg mgcp disabled user@host# set security alg msrpc disabled user@host# set security alg pptp disabled user@host# set security alg rsh disabled user@host# set security alg rtsp disabled user@host# set security alg sip disabled user@host# set security alg sql disabled user@host# set security application-firewall enable user@host# set security utm default-configuration user@host# set security utm feature-profile web-filtering type juniper-enhanced user@host# set security utm feature-profile web-filtering url-filtering refresh-time 24000 user@host# set security utm feature-profile anti-spam mime-deobfuscate user@host# set security utm feature-profile anti-spam default action block user@host# set security utm feature-profile anti-spam connection-limit 50 user@host# set security utm feature-profile anti-spam ip-reputation db-version 16000 user@host# set security utm feature-profile anti-spam smtp block-option “450 Requested action aborted. Local error in processing.” user@host# set security utm default-configuration web-filtering juniper-enhanced user@host# set security utm default-configuration anti-spam default user@host# set security utm default-configuration anti-virus none user@host# set security policies from-zone trust to-zone untrust policy p1 match source-address any user@host# set security policies from-zone trust to-zone untrust policy p1 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy p1 match application any user@host# set security policies from-zone trust to-zone untrust policy p1 then permit application-services utm default-configuration user@host# set security policies from-zone untrust to-zone trust policy p2 match source-address any user@host# set security policies from-zone untrust to-zone trust policy p2 match destination-address any user@host# set security policies from-zone untrust to-zone trust policy p2 match application any user@host# set security policies from-zone untrust to-zone trust policy p2 then permit application-services utm default-configuration Note: This will significantly reduce security posture and should only be used as a last resort until patching is possible.
- Rate Limiting: Implement strict rate limiting on HTTP traffic to reduce the impact of a potential exploit. This should be carefully configured to avoid impacting legitimate traffic.
- Web Application Firewall (WAF): Deploy a WAF in front of critical web applications to detect and block malicious HTTP traffic. Configure WAF rules to identify and block suspicious patterns.
Recovery:
- Reboot: If the device experiences a DoS due to this vulnerability, a manual reboot is required to free the leaked jbufs and restore functionality.
Communication:
- Communicate the vulnerability details and mitigation steps to all relevant personnel (network engineers, security team, system administrators).
- Provide regular updates on the patching progress and any observed incidents.
Assigner
- Juniper Networks, Inc. [email protected]
Date
- Published Date: 2025-04-09 20:15:30
- Updated Date: 2025-04-09 20:15:30