Junos OS: MX Series: In DS-lite and NAT scenario receipt of crafted IPv6 traffic causes port block

An Improper Check for Unusual or Exceptional Conditions vulnerability in the pfe (packet forwarding engine) of Juniper Networks Junos OS on MX Series causes a port within a pool to be blocked leading to Denial of Service (DoS).

In a DS-Lite (Dual-Stack Lite) and NAT (Network Address Translation) scenario, when crafted IPv6 traffic is received and prefix-length is set to 56, the ports assigned to the user will not be freed.  Eventually, users cannot establish new connections. Affected FPC/PIC need to be manually restarted to recover. Following is the command to identify the issue:

user@host> show services nat source port-block Host_IP                     External_IP                   Port_Block      Ports_Used/       Block_State/ Range           Ports_Total       Left_Time(s) 2001::                        x.x.x.x                     58880-59391     256/256*1         Active/-       >>>>>>>>port still usedThis issue affects Junos OS on MX Series:

• from 21.2 before 21.2R3-S8,
• from 21.4 before 21.4R3-S7,
• from 22.1 before 22.1R3-S6,
• from 22.2 before 22.2R3-S4,
• from 22.3 before 22.3R3-S3,
• from 22.4 before 22.4R3-S2,
• from 23.2 before 23.2R2-S1,
• from 23.4 before 23.4R1-S2, 23.4R2.

This issue does not affect versions before 20.2R1.