CVE-2021-31376
📋 TL;DR
An improper input validation vulnerability in the Packet Forwarding Engine manager (FXPC) process of Juniper Networks Junos OS allows attackers to cause a Denial of Service (DoS) by sending specific DHCPv6 packets to affected ACX Series devices, crashing the FXPC service. This affects only specific ACX Series platforms running Junos OS 18.4R3-S7 and later versions prior to 18.4R3-S8.
💻 Affected Systems
- Juniper Networks ACX500
- ACX1000
- ACX1100
- ACX2100
- ACX2200
- ACX4000
- ACX5048
- ACX5096
📦 What is this software?
Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →⚠️ Risk & Real-World Impact
Worst Case
Sustained DoS condition rendering network devices completely unavailable, disrupting all traffic forwarding capabilities on affected ACX Series routers.
Likely Case
Intermittent or sustained service disruption on affected ACX devices, requiring manual intervention to restore service.
If Mitigated
Limited impact with proper network segmentation and DHCPv6 filtering in place.
🎯 Exploit Status
Exploitation requires sending specific DHCPv6 packets to vulnerable devices, which is relatively straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Junos OS 18.4R3-S8
Vendor Advisory: https://kb.juniper.net/JSA11241
Restart Required: Yes
Instructions:
1. Download Junos OS 18.4R3-S8 from Juniper support portal. 2. Upload to device storage. 3. Install using 'request system software add' command. 4. Reboot device to complete installation.
🔧 Temporary Workarounds
DHCPv6 Filtering
allImplement firewall filters to block or rate-limit DHCPv6 packets to vulnerable interfaces
set firewall family inet6 filter BLOCK-DHCPV6 term 1 from protocol udp
set firewall family inet6 filter BLOCK-DHCPV6 term 1 from destination-port dhcpv6-server dhcpv6-client
set firewall family inet6 filter BLOCK-DHCPV6 term 1 then discard
set interfaces <interface-name> unit <unit-number> family inet6 filter input BLOCK-DHCPV6
🧯 If You Can't Patch
- Implement strict network segmentation to limit DHCPv6 traffic to trusted sources only
- Disable DHCPv6 on interfaces where not required, using static IPv6 addressing instead
🔍 How to Verify
Check if Vulnerable:
Check device model and Junos OS version: 'show version' and verify if running affected version on affected ACX platformCheck Version:
show version | match "Junos:|Model:"Verify Fix Applied:
Verify Junos OS version is 18.4R3-S8 or later using 'show version' command📡 Detection & Monitoring
Log Indicators:
- FXPC process crashes in system logs
- DHCPv6 packet processing errors
- Service disruption alerts
Network Indicators:
- Unusual DHCPv6 traffic patterns to ACX devices
- Sudden loss of connectivity through affected routers
SIEM Query:
source="juniper-firewall" AND (event_type="process_crash" AND process="fxpc") OR (protocol="dhcpv6" AND dest_ip="ACX_device_IP")