Sign-up

ID

VAR-202107-1230


CVE

CVE-2021-0292


TITLE

Pillow Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

DESCRIPTION

An Uncontrolled Resource Consumption vulnerability in the ARP daemon (arpd) and Network Discovery Protocol (ndp) process of Juniper Networks Junos OS Evolved allows a malicious attacker on the local network to consume memory resources, ultimately resulting in a Denial of Service (DoS) condition. Link-layer functions such as IPv4 and/or IPv6 address resolution may be impacted, leading to traffic loss. The processes do not recover on their own and must be manually restarted. Changes in memory usage can be monitored using the following shell commands (header shown for clarity): user@router:/var/log# ps aux | grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 59.0 0.7 *5702564* 247952 ? xxx /usr/sbin/arpd --app-name arpd -I object_select --shared-objects-mode 3 user@router:/var/log# ps aux | grep arpd USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 31418 49.1 1.0 *5813156* 351184 ? xxx /usr/sbin/arpd --app-name arpd -I object_select --shared-objects-mode 3 Memory usage can be monitored for the ndp process in a similar fashion: user@router:/var/log# ps aux | grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 *5614052* 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select --app-name ndp --shared-obje user@router:/var/log# ps aux | grep ndp USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 14935 0.0 0.1 *5725164* 27256 ? Ssl Jun15 0:17 /usr/sbin/ndp -I no_tab_chk,object_select --app-name ndp --shared-obje This issue affects Juniper Networks Junos OS Evolved: 19.4 versions prior to 19.4R2-S3-EVO; 20.1 versions prior to 20.1R2-S4-EVO; all versions of 20.2-EVO. This issue does not affect Juniper Networks Junos OS Evolved versions prior to 19.4R2-EVO. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements

Trust: 1.62

sources: NVD: CVE-2021-0292 // CNNVD: CNNVD-202104-975 // VULHUB: VHN-372194 // VULMON: CVE-2021-0292

AFFECTED PRODUCTS

vendor:junipermodel:junos os evolvedscope:eqversion:20.2

Trust: 1.0

vendor:junipermodel:junos os evolvedscope:eqversion:19.4

Trust: 1.0

vendor:junipermodel:junos os evolvedscope:eqversion:20.1

Trust: 1.0

sources: NVD: CVE-2021-0292

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2021-0292
value: MEDIUM

Trust: 1.0

sirt@juniper.net: CVE-2021-0292
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-202104-975
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-202107-998
value: MEDIUM

Trust: 0.6

VULHUB: VHN-372194
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2021-0292
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:N/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

VULHUB: VHN-372194
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:N/I:N/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2021-0292
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 2.0

sources: VULHUB: VHN-372194 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-998 // NVD: CVE-2021-0292 // NVD: CVE-2021-0292

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.1

sources: VULHUB: VHN-372194 // NVD: CVE-2021-0292

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-202107-998

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202104-975

EXTERNAL IDS

db:NVDid:CVE-2021-0292

Trust: 1.8

db:JUNIPERid:JSA11194

Trust: 1.8

db:CS-HELPid:SB2021041363

Trust: 0.6

db:CNNVDid:CNNVD-202104-975

Trust: 0.6

db:CS-HELPid:SB2021071524

Trust: 0.6

db:CNNVDid:CNNVD-202107-998

Trust: 0.6

db:VULHUBid:VHN-372194

Trust: 0.1

db:VULMONid:CVE-2021-0292

Trust: 0.1

sources: VULHUB: VHN-372194 // VULMON: CVE-2021-0292 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-998 // NVD: CVE-2021-0292

REFERENCES

url:https://kb.juniper.net/jsa11194

Trust: 1.8

url:https://www.cybersecurity-help.cz/vdb/sb2021041363

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2021071524

Trust: 0.6

url:https://vigilance.fr/vulnerability/junos-os-multiple-vulnerabilities-35897

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2021-0292

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULHUB: VHN-372194 // VULMON: CVE-2021-0292 // CNNVD: CNNVD-202104-975 // CNNVD: CNNVD-202107-998 // NVD: CVE-2021-0292

SOURCES

db:VULHUBid:VHN-372194
db:VULMONid:CVE-2021-0292
db:CNNVDid:CNNVD-202104-975
db:CNNVDid:CNNVD-202107-998
db:NVDid:CVE-2021-0292

LAST UPDATE DATE

2024-08-14T12:47:34.314000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-372194date:2021-10-25T00:00:00
db:VULMONid:CVE-2021-0292date:2021-07-15T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-14T00:00:00
db:CNNVDid:CNNVD-202107-998date:2021-08-24T00:00:00
db:NVDid:CVE-2021-0292date:2021-10-25T15:20:20.817

SOURCES RELEASE DATE

db:VULHUBid:VHN-372194date:2021-07-15T00:00:00
db:VULMONid:CVE-2021-0292date:2021-07-15T00:00:00
db:CNNVDid:CNNVD-202104-975date:2021-04-13T00:00:00
db:CNNVDid:CNNVD-202107-998date:2021-07-14T00:00:00
db:NVDid:CVE-2021-0292date:2021-07-15T20:15:11.090