A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an malicious user to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. JDPI incorrectly classifies out-of-state asymmetric TCP flows as the dynamic-application INCONCLUSIVE instead of UNKNOWN, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions before 18.4R2-S9, 18.4R3-S9; 19.1 versions before 19.1R2-S3, 19.1R3-S6; 19.2 versions before 19.2R1-S7, 19.2R3-S3; 19.3 versions before 19.3R2-S6, 19.3R3-S2; 19.4 versions before 19.4R2-S5, 19.4R3-S3; 20.1 versions before 20.1R2-S2, 20.1R3; 20.2 versions before 20.2R3-S1; 20.3 versions before 20.3R3; 20.4 versions before 20.4R2-S1, 20.4R3; 21.1 versions before 21.1R1-S1, 21.1R2. This issue does not affect Juniper Networks Junos OS versions before 18.4R1.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
juniper junos 18.4 |
||
juniper junos 19.1 |
||
juniper junos 19.2 |
||
juniper junos 19.3 |
||
juniper junos 19.4 |
||
juniper junos 20.1 |
||
juniper junos 20.2 |
||
juniper junos 20.3 |
||
juniper junos 20.4 |
||
juniper junos 21.1 |
||
juniper junos 21.2 |
Vulmon