<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Srx - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/srx/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 19 Jun 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/srx/feed.xml" rel="self" type="application/rss+xml"/><item><title>Juniper Junos OS SRX Series ICMPv6 Denial-of-Service Vulnerability (CVE-2026-33790)</title><link>https://feed.craftedsignal.io/briefs/2024-06-junos-icmpv6-dos/</link><pubDate>Wed, 19 Jun 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-06-junos-icmpv6-dos/</guid><description>A specific, malformed ICMPv6 packet sent to a Juniper Networks Junos OS SRX Series device can trigger a crash and restart of the srxpfe process, leading to a sustained Denial of Service.</description><content:encoded><![CDATA[<p>CVE-2026-33790 is a vulnerability affecting Juniper Networks Junos OS on SRX Series devices. The vulnerability resides in the flow daemon (flowd) and is triggered by sending a specific, malformed ICMPv6 packet to the device during NAT64 translation. This causes the srxpfe process to crash and restart. The continuous receipt and processing of these malformed packets will repeatedly crash the srxpfe process, resulting in a sustained Denial of Service (DoS) condition. The vulnerability is specific to ICMPv6 traffic and does not affect IPv4 or other IPv6 traffic types. Affected versions include versions before 21.2R3-S10, all versions of 21.3, versions 21.4 before 21.4R3-S12, all versions of 22.1, versions 22.2 before 22.2R3-S8, all versions of 22.4, versions 22.4 before 22.4R3-S9, versions 23.2 before 23.2R2-S6, versions 23.4 before 23.4R2-S7, versions 24.2 before 24.2R2-S3, versions 24.4 before 24.4R2-S3, and versions 25.2 before 25.2R1-S2, 25.2R2.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable Juniper SRX Series device running Junos OS with NAT64 enabled.</li>
<li>The attacker crafts a specific, malformed ICMPv6 packet.</li>
<li>The attacker sends the malformed ICMPv6 packet to the SRX device.</li>
<li>The SRX device receives the ICMPv6 packet and attempts NAT64 translation.</li>
<li>Due to the malformed packet, the flowd process encounters an improper check condition.</li>
<li>The srxpfe process crashes as a result of the malformed ICMPv6 packet.</li>
<li>The srxpfe process restarts automatically.</li>
<li>The attacker continuously sends malformed ICMPv6 packets to repeatedly crash the srxpfe process, sustaining a Denial-of-Service condition.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability leads to a Denial-of-Service condition on the affected Juniper SRX Series device. This can disrupt network services, impacting connectivity and availability for legitimate users. The repeated crashing of the srxpfe process can severely degrade device performance and potentially lead to complete service outage. The number of potential victims is dependent on the number of deployed, vulnerable Juniper SRX series devices with NAT64 enabled.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the appropriate patch or upgrade to a fixed version of Junos OS on SRX Series devices as specified in the Juniper advisory to remediate CVE-2026-33790.</li>
<li>Monitor network traffic for unusual or malformed ICMPv6 packets destined for SRX devices performing NAT64, as this may indicate exploitation attempts, and deploy the provided Sigma rule to detect such activity.</li>
<li>Implement rate limiting for ICMPv6 traffic at the network perimeter to mitigate the impact of potential DoS attacks targeting this vulnerability, preventing the continuous crashing of the srxpfe process.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>dos</category><category>icmpv6</category><category>junos</category><category>srx</category><category>nat64</category></item></channel></rss>