CIS Logo
tagline: Confidence in the Connected World

A Vulnerability in Juniper Junos OS Could Allow for Denial of Service

MS-ISAC ADVISORY NUMBER:

2019-111

DATE(S) ISSUED:

10/17/2019

OVERVIEW:

A vulnerability has been discovered in Juniper Junos OS, which could allow for denial of service. Junos OS is a FreeBSD-based operating system used in Juniper Networks routers. This vulnerability specifically affects MX Series routers configured with SIP ALG and NAT. An attacker can exploit this issue by sending specially-crafted SIP packets. Repeated successful exploitation of this vulnerability could result in prolonged denial of service conditions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Juniper Networks Junos OS on MX Series 16.1 versions prior to 16.1R7-S5
  • Juniper Networks Junos OS on MX Series 16.2 versions prior to 16.2R2-S11
  • Juniper Networks Junos OS on MX Series 17.1 versions prior to 17.1R3
  • Juniper Networks Junos OS on MX Series 17.2 versions prior to 17.2R3-S3
  • Juniper Networks Junos OS on MX Series 17.3 versions prior to 17.3R3-S6
  • Juniper Networks Junos OS on MX Series 17.4 versions prior to 17.4R2-S8, 17.4R3
  • Juniper Networks Junos OS on MX Series 18.1 versions prior to 18.1R3-S3
  • Juniper Networks Junos OS on MX Series 18.2 versions prior to 18.2R3
  • Juniper Networks Junos OS on MX Series 18.3 versions prior to 18.3R2
  • Juniper Networks Junos OS on MX Series 18.4 versions prior to 18.4R2

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

A vulnerability has been discovered in Juniper Junos OS, which could allow for denial of service. The vulnerability specifically affects MX Series routers configured with SIP ALG and NAT. The Session Initiation Protocol (SIP) is a signaling protocol for initiating, modifying, and terminating multimedia sessions over the internet. An attacker can exploit this issue by sending specially-crafted SIP packets to crash the MS-PIC component on MS-MIC or MS-MPC. Repeated successful exploitation of this vulnerability could result in prolonged denial of service conditions.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Juniper to vulnerable systems immediately after appropriate testing.
  • Disable SIP ALG on affected systems if not required by your organization.
  • Restrict access to devices and applications from only authorized users and hosts.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0