CVE-2025-30660

Remediation / Mitigation Strategy: CVE-2025-30660

Vulnerability Description: Improper Check for Unusual or Exceptional Conditions in Junos OS MX Series Packet Forwarding Engine (PFE). Processing a high rate of specific GRE traffic destined for the device causes the respective PFE to hang, resulting in a Denial-of-Service (DoS) condition where traffic forwarding stops.

Severity: High (CVSS v3.1 Score: 8.7)

Known Exploit: A network-based attacker can exploit this vulnerability by sending a high rate of specific GRE traffic to the targeted MX Series device. The vulnerability is triggered when the PFE attempts to process packets with excessively large accompanying data, leading to the hang condition. No authentication is required.

Remediation:

• Upgrade Junos OS: Upgrade to a fixed version of Junos OS. Refer to the following versions to remediate the vulnerability:
  • 21.2R3-S9 or later
  • 21.4R3-S8 or later
  • 22.2R3-S4 or later
  • 22.4R3-S5 or later
  • 23.2R2-S2 or later
  • 23.4R2-S1 or later (if available, otherwise upgrade to a supported release and subsequently apply the recommended service release)

Mitigation:

• Rate Limiting/Traffic Shaping: Implement rate limiting or traffic shaping policies on inbound GRE traffic to limit the number of packets processed by the MX Series device. This can help prevent the PFE from being overwhelmed.
• Access Control Lists (ACLs): Deploy ACLs to filter potentially malicious GRE traffic based on source IP address, port, or other identifying characteristics. While this may not be a complete solution, it can reduce the attack surface.
• Monitor System Logs: Regularly monitor system logs for the specified log messages:
  • <fpc #> MQSS(0): LI-3: Received a parcel with more than 512B accompanying data
  • CHASSISD_FPC_ASIC_ERROR: ASIC Error detected <...> If these logs are observed, investigate and potentially implement temporary mitigation measures until a permanent fix can be applied.
• Disable GRE (If Feasible): If GRE traffic is not required, consider disabling it on the MX Series devices to completely eliminate the vulnerability. However, this is only a viable option if it does not impact legitimate business operations.

Assigner

• Juniper Networks, Inc. [email protected]

Date

• Published Date: 2025-04-09 20:15:30
• Updated Date: 2025-04-09 20:15:30

More Details

CVE-2025-30660