CVE-2020-1685 Information

Description

When configuring stateless firewall filters in Juniper Networks EX4600 and QFX 5000 Series devices using Virtual Extensible LAN protocol (VXLAN) the discard action will fail to discard traffic under certain conditions. Given a firewall filter configuration similar to: family ethernet-switching filter L2-VLAN term ALLOW from user-vlan-id 100; then accept; term NON-MATCH then discard; when there is only one term containing a ‘user-vlan-id’ match condition and no other terms in the firewall filter except discard the discard action for non-matching traffic will only discard traffic with the same VLAN ID specified under ‘user-vlan-id’. Other traffic (e.g. VLAN ID 200) will not be discarded. This unexpected behavior can lead to unintended traffic passing through the interface where the firewall filter is applied. This issue only affects systems using VXLANs. This issue affects Juniper Networks Junos OS on QFX5K Series: 18.1 versions prior to 18.1R3-S7 except 18.1R3; 18.2 versions prior to 18.2R2-S7 18.2R3-S1; 18.3 versions prior to 18.3R1-S5 18.3R2-S4 18.3R3; 18.4 versions prior to 18.4R1-S7 18.4R2-S1 18.4R3; 19.1 versions prior to 19.1R1-S5 19.1R2; 19.2 versions prior to 19.2R1-S5 19.2R2.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Reference

https://kb.juniper.net/JSA11082

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.8