CVE-2020-1641 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Severity

53%

Complexity

16%

Confidentiality

60%

A Race Condition vulnerability in Juniper Networks Junos OS LLDP implementation allows an attacker to cause LLDP to crash leading to a Denial of Service (DoS). This issue occurs when crafted LLDP packets are received by the device from an adjacent device. Multiple LACP flaps will occur after LLDP crashes. An indicator of compromise is to evaluate log file details for lldp with RLIMIT. Intervention should occur before 85% threshold of used KB versus maximum available KB memory is reached. show log messages | match RLIMIT | match lldp | last 20 Matching statement is " /kernel: %KERNEL-[number]: Process ([pid #],lldpd) has exceeded 85% of RLIMIT_DATA: " with [] as variable data to evaluate for. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S15; 12.3X48 versions prior to 12.3X48-D95; 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D200; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S7; 17.1 versions prior to 17.1R2-S11, 17.1R3-S2; 17.2 versions prior to 17.2R1-S9, 17.2R3-S3; 17.3 versions prior to 17.3R2-S5, 17.3R3-S6; 17.4 versions prior to 17.4R2-S4, 17.4R3; 18.1 versions prior to 18.1R3-S5; 18.2 versions prior to 18.2R2-S7, 18.2R3; 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D33, 18.2X75-D50, 18.2X75-D420; 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2; 19.1 versions prior to 19.1R1-S4, 19.1R2.

CVSS 3.1 Base Score 5.3. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 2.9. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:N/C:N/I:N/A:P).

Demo Examples

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

This code could be used in an e-commerce application that supports transfers between accounts. It takes the total amount of the transfer, sends it to the new account, and deducts the amount from the original account.


               
NotifyUser("New balance: $newbalance");
FatalError("Bad Transfer Amount");
FatalError("Insufficient Funds");

A race condition could occur between the calls to GetBalanceFromDatabase() and SendNewBalanceToDatabase().

Suppose the balance is initially 100.00. An attack could be constructed as follows:


               
PROGRAM-2 sends a request to update the database, setting the balance to 99.00

At this stage, the attacker should have a balance of 19.00 (due to 81.00 worth of transfers), but the balance is 99.00, as recorded in the database.

To prevent this weakness, the programmer has several options, including using a lock to prevent multiple simultaneous requests to the web application, or using a synchronization mechanism that includes all the code between GetBalanceFromDatabase() and SendNewBalanceToDatabase().

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

The following function attempts to acquire a lock in order to perform operations on a shared resource.


               
}

                     
pthread_mutex_unlock(mutex);/* access shared resource */

However, the code does not check the value returned by pthread_mutex_lock() for errors. If pthread_mutex_lock() cannot acquire the mutex for any reason, the function may introduce a race condition into the program and result in undefined behavior.

In order to avoid data races, correctly written programs must check the result of thread synchronization functions and appropriately handle all errors, either by attempting to recover from them or reporting it to higher levels.


               
}

                     
return pthread_mutex_unlock(mutex);
return result;
/* access shared resource */

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

Suppose a processor's Memory Management Unit (MMU) has 5 other shadow MMUs to distribute its workload for its various cores. Each MMU has the start address and end address of "accessible" memory. Any time this accessible range changes (as per the processor's boot status), the main MMU sends an update message to all the shadow MMUs.

Suppose the interconnect fabric does not prioritize such "update" packets over other general traffic packets. This introduces a race condition. If an attacker can flood the target with enough messages so that some of those attack packets reach the target before the new access ranges gets updated, then the attacker can leverage this scenario.

Overview

Type

Juniper

First reported 4 years ago

2020-07-17 19:15:00

Last updated 4 years ago

2020-08-12 14:05:00

Affected Software

Juniper JUNOS 12.3

12.3

Juniper Junos 12.3 R1

12.3

Juniper JunOS 12.3 R10

12.3

Juniper JUNOS 12.3 R10-S1

12.3

Juniper JUNOS 12.3 R10-S2

12.3

Juniper Junos 12.3 R11

12.3

Juniper JunOS 12.3 R12

12.3

Juniper JUNOS 12.3 R12-S1

12.3

Juniper JUNOS 12.3 R12-S11

12.3

Juniper JUNOS 12.3 R12-S12

12.3

Juniper JUNOS 12.3 R12-s13

12.3

Juniper JUNOS 12.3 R12-S14

12.3

Juniper JUNOS 12.3 R12-S3

12.3

Juniper JUNOS 12.3 R12-S4

12.3

Juniper JUNOS 12.3 R12-S6

12.3

Juniper Junos 12.3 R12-s8

12.3

Juniper Junos OS 12.3X48

12.3x48

Juniper JunOS 12.3x48 D10

12.3x48

Juniper JUNOS 12.3X48 D100

12.3x48

Juniper JunOS 12.3x48 D15

12.3x48

Juniper Junos OS 12.3X48 D20

12.3x48

Juniper Junos 12.3X48 D25

12.3x48

Juniper Junos OS 12.3X48 D30

12.3x48

Juniper Junos OS 12.3X48 D35

12.3x48

Juniper Junos OS 12.3X48 D40

12.3x48

Juniper Junos OS 12.3X48 D45

12.3x48

Juniper Junos OS 12.3X48 D50

12.3x48

Juniper Junos 12.3x48 D51

12.3x48

Juniper Junos OS 12.3X48 D55

12.3x48

Juniper Junos OS 12.3X48 D60

12.3x48

Juniper Junos OS 12.3X48 D65

12.3x48

Juniper Junos OS 12.3X48 D70

12.3x48

Juniper Junos OS 12.3X48 D75

12.3x48

Juniper JunOS 12.3x48 D80

12.3x48

Juniper JUNOS 12.3X48 D90

12.3x48

Juniper Junos OS 15.1

15.1

Juniper Junos 15.1 A1

15.1

Juniper JUNOS 15.1 F

15.1

Juniper JunOS 15.1 F1

15.1

Juniper JunOS 15.1 F2

15.1

Juniper JunOS 15.1 F2-s1

15.1

Juniper Junos 15.1 F2-S2

15.1

Juniper Junos 15.1 F2-S3

15.1

Juniper Junos 15.1 F2-S4

15.1

Juniper Junos 15.1 F3

15.1

Juniper Junos 15.1 F4

15.1

Juniper Junos 15.1 F5

15.1

Juniper Junos 15.1 F5-S7

15.1

Juniper JUNOS 15.1 F6

15.1

Juniper JUNOS 15.1 F6-s1

15.1

Juniper Junos OS 15.1 F6-s12

15.1

Juniper JUNOS 15.1 F6-s2

15.1

Juniper JUNOS 15.1 F6-S3

15.1

Juniper Junos 15.1 F6-S4

15.1

Juniper Junos 15.1 F6-S7

15.1

Juniper JunOS 15.1 F7

15.1

Juniper Junos 15.1 R1

15.1

Juniper JunOS 15.1 R2

15.1

Juniper Junos 15.1 R3

15.1

Juniper JunOS 15.1 R4

15.1

Juniper Junos 15.1 R4-S7

15.1

Juniper Junos 15.1 R4-S8

15.1

Juniper Junos 15.1 R4-S9

15.1

Juniper JunOS 15.1 R5

15.1

Juniper Junos 15.1 R5-S1

15.1

Juniper Junos 15.1 R5-S5

15.1

Juniper JUNOS 15.1 R5-S6

15.1

Juniper JunOS 15.1 R6

15.1

Juniper Junos 15.1 R6-S1

15.1

Juniper JUNOS 15.1 R6-S2

15.1

Juniper Junos 15.1 R6-S6

15.1

Juniper Junos OS 15.1 R7

15.1

Juniper JUNOS 15.1 R7-S1

15.1

Juniper JUNOS 15.1 R7-S2

15.1

Juniper JUNOS 15.1 R7-S3

15.1

Juniper Junos OS 15.1 R7-s4

15.1

Juniper Junos OS 15.1 R7-s5

15.1

Juniper Junos OS 15.1X49

15.1x49

Juniper JunOS 15.1x49 D10

15.1x49

Juniper Junos OS 15.1X49 D100

15.1x49

Juniper Junos OS 15.1X49 D110

15.1x49

Juniper Junos OS 15.1X49 D120

15.1x49

Juniper Junos OS 15.1X49 D130

15.1x49

Juniper Junos OS 15.1X49 D140

15.1x49

Juniper JunOS 15.1X49 D15

15.1x49

Juniper JunOS 15.1x49 D150

15.1x49

Juniper Junos OS 15.1X49 D160

15.1x49

Juniper Junos OS 15.1X49 D170

15.1x49

Juniper Junos OS 15.1X49 D180

15.1x49

Juniper JUNOS 15.1X49 D190

15.1x49

Juniper JunOS 15.1x49 D20

15.1x49

Juniper JunOS 15.1X49 D25

15.1x49

Juniper JunOS 15.1X49 D30

15.1x49

Juniper Junos 15.1X49 D35

15.1x49

Juniper JunOS 15.1X49 D40

15.1x49

Juniper JunOS 15.1X49 D45

15.1x49

Juniper JunOS 15.1X49 D50

15.1x49

Juniper JunOS 15.1X49 D55

15.1x49

Juniper JunOS 15.1X49 D60

15.1x49

Juniper JunOS 15.1X49 D65

15.1x49

Juniper JunOS 15.1X49 D70

15.1x49

Juniper JunOS 15.1X49 D75

15.1x49

Juniper JunOS 15.1X49 D80

15.1x49

Juniper Junos OS 15.1X49 D90

15.1x49

Juniper Junos OS 15.1X53

15.1x53

Juniper Junos OS 15.1X53 D10

15.1x53

Juniper Junos 15.1X53 D20

15.1x53

Juniper Junos 15.1X53 D21

15.1x53

Juniper JunOS 15.1X53 D210

15.1x53

Juniper Junos OS 15.1X53 D230

15.1x53

Juniper Junos OS 15.1X53 D231

15.1x53

Juniper Junos OS 15.1X53 D232

15.1x53

Juniper Junos OS 15.1X53 D233

15.1x53

Juniper Junos OS 15.1X53 D234

15.1x53

Juniper Junos OS 15.1X53 D235

15.1x53

Juniper Junos OS 15.1X53 D236

15.1x53

Juniper Junos OS 15.1X53 D237

15.1x53

Juniper JunOS 15.1X53 D25

15.1x53

Juniper Junos 15.1X53 D30

15.1x53

Juniper JUNOS 15.1X53 D31

15.1x53

Juniper Junos 15.1X53 D32

15.1x53

Juniper Junos 15.1X53 D33

15.1x53

Juniper Junos 15.1X53 D34

15.1x53

Juniper JunOS 15.1X53 D40

15.1x53

Juniper JunOS 15.1X53 D45

15.1x53

Juniper Junos 15.1X53 D47

15.1x53

Juniper JUNOS 15.1X53 D470

15.1x53

Juniper Junos 15.1X53 D48

15.1x53

Juniper JUNOS 15.1x53 D495

15.1x53

Juniper Junos OS 15.1X53 D50

15.1x53

Juniper Junos OS 15.1X53 D51

15.1x53

Juniper Junos OS 15.1X53 D52

15.1x53

Juniper Junos OS 15.1X53 D55

15.1x53

Juniper Junos 15.1x53 D56

15.1x53

Juniper Junos OS 15.1X53 D57

15.1x53

Juniper Junos OS 15.1X53 D58

15.1x53

Juniper Junos OS 15.1X53 D59

15.1x53

Juniper Junos OS 15.1X53 D590

15.1x53

Juniper Junos OS 15.1X53 D591

15.1x53

Juniper JUNOS 15.1X53 D592

15.1x53

Juniper JunOS 15.1X53 D60

15.1x53

Juniper JunOS 15.1X53 D61

15.1x53

Juniper JunOS 15.1X53 D62

15.1x53

Juniper JunOS 15.1X53 D63

15.1x53

Juniper Junos OS 15.1X53 D64

15.1x53

Juniper JUNOS 15.1x53 D65

15.1x53

Juniper Junos OS 15.1X53 D66

15.1x53

Juniper Junos OS 15.1X53 D67

15.1x53

Juniper Junos OS 15.1X53 D68

15.1x53

Juniper Junos OS 15.1X53 D69

15.1x53

Juniper JunOS 15.1X53 D70

15.1x53

Juniper JUNOS 16.1

16.1

Juniper JunOS 16.1 R1

16.1

Juniper JunOS 16.1 R2

16.1

Juniper JunOS 16.1 R3

16.1

Juniper Junos 16.1 R3-S10

16.1

Juniper Junos OS 16.1 R3-S11

16.1

Juniper JunOS 16.1 R4

16.1

Juniper JUNOS 16.1 R4-S12

16.1

Juniper JUNOS 16.1 R4-S2

16.1

Juniper Junos 16.1 R4-S3

16.1

Juniper Junos 16.1 R4-S4

16.1

Juniper JUNOS 16.1 R4-S6

16.1

Juniper Junos 16.1 R5

16.1

Juniper Junos 16.1 R5-S4

16.1

Juniper Junos 16.1 R6-S1

16.1

Juniper Junos 16.1 R6-s6

16.1

Juniper Junos 16.1 R7

16.1

Juniper JUNOS 16.1 R7-S2

16.1

Juniper JUNOS 16.1 R7-S3

16.1

Juniper JUNOS 16.1R7-S4

16.1

Juniper JUNOS 16.1R7-S5

16.1

Juniper JUNOS 16.1 R7-S6

16.1

Juniper JUNOS 17.1

17.1

Juniper JunOS 17.1 R1

17.1

Juniper Junos 17.1 R2

17.1

Juniper Junos 17.1 R2-S1

17.1

Juniper JUNOS 17.1 R2-S10

17.1

Juniper JUNOS 17.1 R2-S2

17.1

Juniper JUNOS 17.1 R2-S3

17.1

Juniper JUNOS 17.1 R2-S4

17.1

Juniper JUNOS 17.1 R2-S5

17.1

Juniper JUNOS 17.1 R2-S6

17.1

Juniper Junos 17.1 R2-S7

17.1

Juniper Junos OS 17.1 R2-S8

17.1

Juniper JunOS 17.1 R2-s9

17.1

Juniper JUNOS 17.1 R3-S1

17.1

Juniper JUNOS 17.2

17.2

Juniper Junos 17.2 R1

17.2

Juniper JUNOS 17.2 R1-s1

17.2

Juniper JUNOS 17.2 R1-S2

17.2

Juniper JUNOS 17.2 R1-s3

17.2

Juniper JUNOS 17.2 R1-S4

17.2

Juniper JUNOS 17.2 R1-s5

17.2

Juniper Junos 17.2 R1-S7

17.2

Juniper JUNOS 17.2 R1-S8

17.2

Juniper Junos 17.2 R2

17.2

Juniper JUNOS 17.2 R2-S11

17.2

Juniper JUNOS 17.2 R2-S6

17.2

Juniper JUNOS 17.2 R2-S7

17.2

Juniper JUNOS 17.2R3-S1

17.2

Juniper JUNOS 17.2 R3-S2

17.2

Juniper JUNOS 17.3

17.3

Juniper JUNOS 17.3 R1-S1

17.3

Juniper Junos 17.3 R2

17.3

Juniper JUNOS 17.3 R2-S1

17.3

Juniper JUNOS 17.3R2-S2

17.3

Juniper Junos OS 17.3 R2-S3

17.3

Juniper JUNOS 17.3 R2-S4

17.3

Juniper JunOS 17.3 R3

17.3

Juniper JUNOS 17.3 R3-S1

17.3

Juniper JUNOS 17.3 R3-S2

17.3

Juniper JUNOS 17.3 R3-S3

17.3

Juniper JUNOS 17.3R3-S4

17.3

Juniper JUNOS 17.4

17.4

Juniper Junos 17.4 R1

17.4

Juniper JUNOS 17.4 R1-S1

17.4

Juniper JUNOS 17.4 R1-S2

17.4

Juniper JUNOS 17.4R1-S4

17.4

Juniper JunOS 17.4 R1-s5

17.4

Juniper JUNOS 17.4 R1-S6

17.4

Juniper JUNOS 17.4R1-S7

17.4

Juniper Junos 17.4 R2

17.4

Juniper JUNOS 17.4 R2-S1

17.4

Juniper JUNOS 17.4 R2-S10

17.4

Juniper Junos 17.4 R2-S2

17.4

Juniper JUNOS 17.4 R2-S3

17.4

Juniper JUNOS 18.1

18.1

Juniper JUNOS 18.1R2

18.1

Juniper JUNOS R2-S1

18.1

Juniper JUNOS R2-S2

18.1

Juniper JUNOS 18.1 R2-S4

18.1

Juniper JUNOS 18.1 R3

18.1

Juniper JunOS 18.1 R3-s1

18.1

Juniper JUNOS 18.1 R3-S2

18.1

Juniper JUNOS 18.1 R3-S3

18.1

Juniper JUNOS 18.1R3-S4

18.1

Juniper JUNOS 18.2

18.2

Juniper JunOS 18.2 R1

18.2

Juniper JunOS 18.2 R1-S3

18.2

Juniper JUNOS 18.2 R1-S5

18.2

Juniper JUNOS 18.2 R2-S1

18.2

Juniper JUNOS 18.2R2-S2

18.2

Juniper JUNOS 18.2R2-S3

18.2

Juniper JUNOS18.2 R2-S4

18.2

Juniper JUNOS 18.2 R2-S5

18.2

Juniper JUNOS 18.2 R2-S6

18.2

Juniper Junos 18.2x75 -

18.2x75

Juniper JUNOS 18.2x75 D20

18.2x75

Juniper JUNOS 18.2x75 D30

18.2x75

Juniper JUNOS 18.2X75-D40

18.2x75

Juniper JUNOS 18.3

18.3

Juniper JUNOS 18.3 R1

18.3

Juniper JUNOS 18.3 R1-S1

18.3

Juniper JUNOS 18.3 R1-S2

18.3

Juniper JUNOS 18.3R1-S3

18.3

Juniper JUNOS 18.3 R1-S5

18.3

Juniper JUNOS 18.3 R1-S6

18.3

Juniper JUNOS 18.3 R2

18.3

Juniper JUNOS 18.3 R2-S1

18.3

Juniper JUNOS 18.3 R2-S2

18.3

Juniper JUNOS 18.4

18.4

Juniper JunOS 18.4 R1

18.4

Juniper Junos OS 18.4 R1-S1

18.4

Juniper JUNOS 18.4R1-S2

18.4

Juniper Junos OS 19.1

19.1

Juniper Junos OS 19.1 R1

19.1

Juniper Junos OS 19.1 R1-s1

19.1

Juniper JUNOS 19.1 R1-S2

19.1

Juniper JUNOS 19.1 R1-S3

19.1

References

https://kb.juniper.net/JSA11027

https://kb.juniper.net/JSA11027

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.