{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-30644", "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "state": "PUBLISHED", "assignerShortName": "juniper", "dateReserved": "2025-03-24T19:34:11.320Z", "datePublished": "2025-04-09T19:52:16.737Z", "dateUpdated": "2025-04-10T03:55:41.332Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["EX2300", "EX3400", "EX4100", "EX4300", "EX4300MP", "EX4400", "EX4600", "EX4650-48Y", "QFX5k Series"], "product": "Junos OS", "vendor": "Juniper Networks", "versions": [{"lessThan": "21.4R3-S9", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "22.2R3-S5", "status": "affected", "version": "22.2", "versionType": "semver"}, {"lessThan": "22.4R3-S5", "status": "affected", "version": "22.4", "versionType": "semver"}, {"lessThan": "23.2R2-S3", "status": "affected", "version": "23.2", "versionType": "semver"}, {"lessThan": "23.4R2-S3", "status": "affected", "version": "23.4", "versionType": "semver"}, {"lessThan": "24.2R2", "status": "affected", "version": "24.2", "versionType": "semver"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "This issue only occurs when DHCP forwarding-options Option 82 is enabled, as shown below:<br><br><tt>[vlans &lt;name&gt; forwarding-options dhcp-security option-82]</tt>"}], "value": "This issue only occurs when DHCP forwarding-options Option 82 is enabled, as shown below:\n\n[vlans <name> forwarding-options dhcp-security option-82]"}], "datePublic": "2025-04-09T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A Heap-based Buffer Overflow vulnerability in the flexible PIC concentrator (FPC) of Juniper Networks Junos OS on EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y, and QFX5k Series allows an attacker to send a specific DHCP packet to the device, leading to an FPC crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.<br><br>Under a rare timing scenario outside the attacker's control, memory corruption may be observed when DHCP Option 82 is enabled, leading to an FPC crash and affecting packet forwarding. Due to the nature of the heap-based overflow, exploitation of this vulnerability could also lead to remote code execution within the FPC, resulting in complete control of the vulnerable component.<br><p>This issue affects Junos OS on EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y, and QFX5k Series: <br></p><p></p><ul><li>All versions before 21.4R3-S9,&nbsp;</li><li>from 22.2 before 22.2R3-S5,&nbsp;</li><li>from 22.4 before 22.4R3-S5,&nbsp;</li><li>from 23.2 before 23.2R2-S3,&nbsp;</li><li>from 23.4 before 23.4R2-S3,&nbsp;</li><li>from 24.2 before 24.2R2.</li></ul><p></p>"}], "value": "A Heap-based Buffer Overflow vulnerability in the flexible PIC concentrator (FPC) of Juniper Networks Junos OS on EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y, and QFX5k Series allows an attacker to send a specific DHCP packet to the device, leading to an FPC crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\nUnder a rare timing scenario outside the attacker's control, memory corruption may be observed when DHCP Option 82 is enabled, leading to an FPC crash and affecting packet forwarding. Due to the nature of the heap-based overflow, exploitation of this vulnerability could also lead to remote code execution within the FPC, resulting in complete control of the vulnerable component.\nThis issue affects Junos OS on EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y, and QFX5k Series: \n\n\n\n\n  *  All versions before 21.4R3-S9,\u00a0\n  *  from 22.2 before 22.2R3-S5,\u00a0\n  *  from 22.4 before 22.4R3-S5,\u00a0\n  *  from 23.2 before 23.2R2-S3,\u00a0\n  *  from 23.4 before 23.4R2-S3,\u00a0\n  *  from 24.2 before 24.2R2."}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "baseScore": 7.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/AU:N/R:A/RE:M/U:Green", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper", "dateUpdated": "2025-04-09T19:52:16.737Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://supportportal.juniper.net/JSA96453"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The following software releases have been updated to resolve this specific issue: 21.4R3-S9, 22.2R3-S5, 22.4R3-S5, 23.2R2-S3, 23.4R2-S3, 24.2R2, 24.4R1, and all subsequent releases.<br>"}], "value": "The following software releases have been updated to resolve this specific issue: 21.4R3-S9, 22.2R3-S5, 22.4R3-S5, 23.2R2-S3, 23.4R2-S3, 24.2R2, 24.4R1, and all subsequent releases."}], "source": {"advisory": "JSA96453", "defect": ["1818760"], "discovery": "USER"}, "timeline": [{"lang": "en", "time": "2025-04-09T16:00:00.000Z", "value": "Initial Publication"}], "title": "Junos OS: EX2300, EX3400, EX4000 Series, QFX5k Series: Receipt of a specific DHCP packet causes FPC crash when DHCP Option 82 is enabled", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Disable&nbsp;dhcp-option82 if it is not required."}], "value": "Disable\u00a0dhcp-option82 if it is not required."}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-09T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2025-30644"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-10T03:55:41.332Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Heap-based Buffer Overflow vulnerability in the flexible PIC concentrator (FPC) of Juniper Networks Junos OS on EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y, and QFX5k Series allows an attacker to send a specific DHCP packet to the device, leading to an FPC crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\nUnder a rare timing scenario outside the attacker's control, memory corruption may be observed when DHCP Option 82 is enabled, leading to an FPC crash and affecting packet forwarding. Due to the nature of the heap-based overflow, exploitation of this vulnerability could also lead to remote code execution within the FPC, resulting in complete control of the vulnerable component.\nThis issue affects Junos OS on EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y, and QFX5k Series: \n\n\n\n\n  *  All versions before 21.4R3-S9,\u00a0\n  *  from 22.2 before 22.2R3-S5,\u00a0\n  *  from 22.4 before 22.4R3-S5,\u00a0\n  *  from 23.2 before 23.2R2-S3,\u00a0\n  *  from 23.4 before 23.4R2-S3,\u00a0\n  *  from 24.2 before 24.2R2."}, {"lang": "es", "value": "Una vulnerabilidad de desbordamiento de b\u00fafer en el heap del concentrador PIC flexible (FPC) de Juniper Networks Junos OS en las series EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y y QFX5k permite a un atacante enviar un paquete DHCP espec\u00edfico al dispositivo, lo que provoca un bloqueo y reinicio del FPC, lo que resulta en una denegaci\u00f3n de servicio (DoS). La recepci\u00f3n y el procesamiento continuos de este paquete generar\u00e1n una denegaci\u00f3n de servicio (DoS) sostenida. En un escenario inusual, ajeno al control del atacante, se puede observar corrupci\u00f3n de memoria al habilitar la opci\u00f3n 82 de DHCP, lo que provoca un bloqueo del FPC y afecta el reenv\u00edo de paquetes. Debido a la naturaleza del desbordamiento en el heap, la explotaci\u00f3n de esta vulnerabilidad tambi\u00e9n podr\u00eda provocar la ejecuci\u00f3n remota de c\u00f3digo dentro del FPC, lo que resultar\u00eda en el control total del componente vulnerable. Este problema afecta a Junos OS en las series EX2300, EX3400, EX4100, EX4300, EX4300MP, EX4400, EX4600, EX4650-48Y y QFX5k: * Todas las versiones anteriores a 21.4R3-S9, * desde la 22.2 hasta la 22.2R3-S5, * desde la 22.4 hasta la 22.4R3-S5, * desde la 23.2 hasta la 23.2R2-S3, * desde la 23.4 hasta la 23.4R2-S3, * desde la 24.2 hasta la 24.2R2."}], "id": "CVE-2025-30644", "lastModified": "2025-04-11T15:40:10.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "sirt@juniper.net", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "GREEN", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:X/RE:M/U:Green", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "sirt@juniper.net", "type": "Secondary"}]}, "published": "2025-04-09T20:15:27.517", "references": [{"source": "sirt@juniper.net", "url": "https://supportportal.juniper.net/JSA96453"}], "sourceIdentifier": "sirt@juniper.net", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "sirt@juniper.net", "type": "Primary"}]}

{}