CVE-2022-22175

Q: What is the severity of CVE-2022-22175?

CVE-2022-22175 has a CVSS score of 7.5 (HIGH). An improper locking vulnerability in the SIP ALG of Juniper Networks Junos OS on MX and SRX Series devices allows unauthenticated attackers to crash the flowprocessing daemon (flowd), causing a Denial of Service. Continued exploitation leads to sustained DoS. Affects Junos OS 20.4 through 21.3 versions with SIP ALG enabled.

7.5 HIGH

Denial of Service

📋 TL;DR

An improper locking vulnerability in the SIP ALG of Juniper Networks Junos OS on MX and SRX Series devices allows unauthenticated attackers to crash the flowprocessing daemon (flowd), causing a Denial of Service. Continued exploitation leads to sustained DoS. Affects Junos OS 20.4 through 21.3 versions with SIP ALG enabled.

💻 Affected Systems

Products:

Juniper Networks MX Series
Juniper Networks SRX Series

Versions: Junos OS 20.4 versions prior to 20.4R3-S1; 21.1 versions prior to 21.1R2-S2, 21.1R3; 21.2 versions prior to 21.2R1-S2, 21.2R2; 21.3 versions prior to 21.3R1-S1, 21.3R2

Operating Systems: Junos OS

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when SIP ALG (Application Layer Gateway) is enabled and processing specific SIP messages simultaneously. Versions prior to 20.4R1 are not affected.

📦 What is this software?

Junos by Juniper

Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...

Learn more about Junos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained denial of service on critical network infrastructure, disrupting all traffic through affected devices until manual intervention.

🟠

Likely Case

Intermittent service disruptions requiring device reboots, impacting network availability and performance.

🟢

If Mitigated

Minimal impact if SIP ALG is disabled or devices are patched/isolated from untrusted traffic.

🌐 Internet-Facing: HIGH - Unauthenticated network attack that can be triggered from external sources if SIP ALG is enabled and exposed.

🏢 Internal Only: MEDIUM - Internal attackers or malware could exploit this, but requires SIP ALG to be enabled and processing specific SIP messages.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Network-based attack requiring specific SIP packets but no authentication.

Exploitation requires SIP ALG to be enabled and specific SIP message processing conditions. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20.4R3-S1, 21.1R2-S2, 21.1R3, 21.2R1-S2, 21.2R2, 21.3R1-S1, 21.3R2 or later

Vendor Advisory: https://kb.juniper.net/JSA11281

Restart Required: Yes

Instructions:

1. Check current Junos OS version. 2. Download appropriate patched version from Juniper support. 3. Follow Juniper upgrade procedures for MX/SRX devices. 4. Reboot device after upgrade.

🔧 Temporary Workarounds

Disable SIP ALG

all

Disables the SIP Application Layer Gateway feature that contains the vulnerability

set security alg sip disable
commit

Restrict SIP traffic

all

Use firewall rules to block or limit SIP traffic to vulnerable devices

set security policies from-zone untrust to-zone trust policy block-sip match source-address any
set security policies from-zone untrust to-zone trust policy block-sip match destination-address any
set security policies from-zone untrust to-zone trust policy block-sip match application junos-sip
set security policies from-zone untrust to-zone trust policy block-sip then deny
commit

🧯 If You Can't Patch

Disable SIP ALG immediately using 'set security alg sip disable' and commit
Implement network segmentation to isolate vulnerable devices from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Junos OS version with 'show version' and verify if SIP ALG is enabled with 'show security alg status'

Check Version:

show version

Verify Fix Applied:

Verify upgraded to patched version with 'show version' and confirm SIP ALG status if re-enabled

📡 Detection & Monitoring

Log Indicators:

flowd process crashes
SIP ALG error messages
High CPU/memory usage on flowd
Device reboot events

Network Indicators:

Unusual SIP traffic patterns to MX/SRX devices
Increased SIP packet rates

SIEM Query:

source="juniper-firewall" AND ("flowd" OR "SIP ALG") AND (crash OR error OR restart)

📊 Metadata

CVE ID: CVE-2022-22175

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-667

Published: January 19, 2022

Last Updated: November 21, 2024

🔗 References

https://kb.juniper.net/JSA11281 Vendor Advisory
https://kb.juniper.net/JSA11281 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

Junos by Juniper

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SIP ALG

Restrict SIP traffic

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities