CVE-2021-0226 – This vulnerability allows attackers to cause a ... (How to Fix)

Q: What is the severity of CVE-2021-0226?

CVE-2021-0226 has a CVSS score of 7.1 (HIGH). This vulnerability allows attackers to cause a denial of service on Juniper Junos OS Evolved devices by sending a specific IPv6 packet that terminates established IPv6 BGP sessions. Only Junos OS Evolved devices running affected versions are vulnerable, while standard Junos OS devices are not affected.

📋 TL;DR

This vulnerability allows attackers to cause a denial of service on Juniper Junos OS Evolved devices by sending a specific IPv6 packet that terminates established IPv6 BGP sessions. Only Junos OS Evolved devices running affected versions are vulnerable, while standard Junos OS devices are not affected.

💻 Affected Systems

Products:

Juniper Networks Junos OS Evolved

Versions: 19.4 versions prior to 19.4R2-S3-EVO; 20.1 versions prior to 20.1R2-S3-EVO; 20.2 versions prior to 20.2R2-S1-EVO; 20.3 versions prior to 20.3R2-EVO

Operating Systems: Junos OS Evolved

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects IPv6 BGP sessions (both IBGP and EBGP). IPv4 BGP sessions are not affected. Standard Junos OS releases are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained BGP session termination leading to complete network disruption for IPv6 traffic, potentially causing widespread routing instability and service outages.

🟠

Likely Case

Intermittent BGP session drops causing routing instability, packet loss, and degraded network performance for IPv6 traffic.

🟢

If Mitigated

Minimal impact with proper network segmentation, BGP session monitoring, and rapid detection of anomalous IPv6 traffic.

🌐 Internet-Facing: HIGH - BGP sessions are typically internet-facing, making them directly accessible to attackers who can craft malicious IPv6 packets.

🏢 Internal Only: MEDIUM - Internal BGP sessions could be affected if attackers gain internal network access or if malicious traffic originates internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Attack requires sending a specific IPv6 packet to vulnerable BGP sessions.

Exploitation requires network access to BGP sessions and knowledge of the specific packet format. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 19.4R2-S3-EVO, 20.1R2-S3-EVO, 20.2R2-S1-EVO, 20.3R2-EVO or later

Vendor Advisory: https://kb.juniper.net/JSA11121

Restart Required: Yes

Instructions:

1. Check current version with 'show version'. 2. Download appropriate patch from Juniper support. 3. Apply patch using standard Junos upgrade procedures. 4. Reboot device to activate fixed version.

🔧 Temporary Workarounds

IPv6 BGP Session Filtering

all

Implement ACLs or firewall rules to filter suspicious IPv6 traffic to BGP sessions

set firewall family inet6 filter BGP-FILTER term BLOCK-MALICIOUS from source-address <suspicious-ipv6>
set firewall family inet6 filter BGP-FILTER term BLOCK-MALICIOUS then discard
set protocols bgp group <group-name> import BGP-FILTER

BGP Session Monitoring

all

Implement aggressive BGP session monitoring and automatic restart

set protocols bgp group <group-name> hold-time 30
set protocols bgp group <group-name> keepalive 10
set event-options policy BGP-RESTART events bgp_neighbor_down
set event-options policy BGP-RESTART then execute-commands commands "restart bgp"

🧯 If You Can't Patch

Implement strict IPv6 traffic filtering at network perimeter to block suspicious packets
Consider temporarily disabling IPv6 BGP sessions if IPv4-only operation is acceptable

🔍 How to Verify

Check if Vulnerable:

Run 'show version' and check if version matches affected range. Check BGP session status with 'show bgp summary' for IPv6 sessions.

Check Version:

show version | match Junos

Verify Fix Applied:

After patching, verify version is updated with 'show version'. Monitor BGP sessions with 'show bgp neighbor' for stability.

📡 Detection & Monitoring

Log Indicators:

BGP session state changes
Unexpected BGP neighbor down events
IPv6 packet drops in firewall logs

Network Indicators:

Sudden BGP session drops for IPv6 peers
Increased BGP keepalive timeouts
Unusual IPv6 traffic patterns to BGP ports

SIEM Query:

source="juniper-firewall" (dest_port=179 OR protocol="BGP") action="deny" OR source="juniper-bgp" event="neighbor_down"

📊 Metadata

CVE ID: CVE-2021-0226

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-665

Published: April 22, 2021

Last Updated: November 21, 2024

🔗 References

https://kb.juniper.net/JSA11121 Vendor Advisory
https://kb.juniper.net/JSA11121 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-0226, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

Junos Os Evolved by Juniper

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

IPv6 BGP Session Filtering

BGP Session Monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities