CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Juniper Junos OS Could Allow for Denial of Service Conditions

MS-ISAC ADVISORY NUMBER:

2018-080

DATE(S) ISSUED:

07/13/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Juniper Junos OS, the most severe of which could allow for denial-of-service conditions. Juniper Junos OS is the common operating system that runs on Juniper Networks’ routing, switching, and security products. Successful exploitation of the most severe of these vulnerabilities could allow for denial of service conditions, but requires Resource Reservation Protocol (RSVP) to be enabled on the targeted interface. RSVP is often used by routers to deliver quality-of-service (QoS) requests to all nodes along the path(s) of the flows and to establish and maintain state to provide the requested service. If the targeted interface receives specially crafted or malformed RSVP PATH messages, the routing protocol daemon (RPD) may hang or crash. When RPD is unavailable, routing updates cannot be processed, which can lead to an extended network outage.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • All products and platforms using Junos OS

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Juniper Junos OS, the most severe of which could allow for denial-of-service conditions. Details of these vulnerabilities are as follows:

  • A use-after-free vulnerability that could allow an attacker to cause denial-of-service against rpcbind. The rpcbind utility is a server that converts RPC program numbers into universal addresses (CVE-2015-7236).
  • An improper privilege management vulnerability that could allow an authenticated unprivileged attacker to gain full control of the system (CVE-2018-0024).
  • A credential exposure vulnerability that could allow for captured credentials as a client sends authentication credentials in the initial HTTP/HTTPS session on SRX series devices when they are configured to use HTTP/HTTPS pass-through authentication services (CVE-2018-0025).
  • A stateless firewall filter configuration vulnerability that occurs after a Junos OS device reboots or upgrades (CVE-2018-0026).
  • A denial-of-service vulnerability caused by the receipt of a specially crafted or malformed RSVP PATH message that could lead to an extended network outage. If RSVP is not enabled, then the issue cannot be triggered via that interface (CVE-2018-0027).
  • A vulnerability that could cause the system to crash and restart after placing the the fxp0 interface into promiscuous mode via the ‘monitor traffic interface fxp0’ (CVE-2018-0029).
  • A denial-of-service vulnerability caused by the receipt of a specific MPLS packet that could cause the MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) line cards or PTX1K to crash and restart repeatedly (CVE-2018-0030).
  • A denial-of-service vulnerability caused by the receipt of specially crafted UDP/IP packets over MPLS that could allow for the bypassing of a stateless firewall filter (CVE-2018-0031).
  • A denial-of-service vulnerability caused by the repeated receipt of specially crafted BGP UPDATES that can lead the routing process daemon to repeatedly crash and restart (CVE-2018-0032).
  • A vulnerability exists within QFX5200 and QFX10002 devices that have been shipped with Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 and 15.1X53-D60 or have been upgraded to these releases using the .bin or .iso images. These devices may contain an unintended additional Open Network Install Environment (ONIE) partition. This additional partition allows the superuser to reboot to the ONIE partition, which will wipe out the content of the Junos partition and its configuration (CVE-2018-0035).
  • A denial-of-service vulnerability caused by the receipt of IPv6 DHCP packets on a system configured for DHCP processing using the JDHCPD daemon that could allow an attacker to core the JDHCPD daemon (CVE-2018-0034).
  • A denial-of-service vulnerability caused by the repeated receipt of BGP NOTIFICATION that could cause the routing protocol daemon (RPD) process to repeatedly crash. This vulnerability may also lead to remote code execution while processing specific BGP NOTIFICATION messages (CVE-2018-0037).

Successful exploitation of the most severe of these vulnerabilities could allow for denial of service conditions, but requires Resource Reservation Protocol (RSVP) to be enabled on the targeted interface. RSVP is often used by routers to deliver quality-of-service (QoS) requests to all nodes along the path(s) of the flows and to establish and maintain state to provide the requested service. If the targeted interface receives specially crafted or malformed RSVP PATH messages, the routing protocol daemon (RPD) may hang or crash. When RPD is unavailable, routing updates cannot be processed, which can lead to an extended network outage.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Juniper to vulnerable systems immediately after appropriate testing.
  • Configure firewalls and intrusion detection/prevention devices to alarm on traffic anomalies.
  • Establish and maintain effective partnerships with your upstream network service provider and know what assistance they may be able to provide you in the event of a DDoS attack. In the case of a DDoS attack, the faster a provider can implement traffic blocks and mitigation strategies at their level, the sooner your services will become available for legitimate users.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Related Resources



Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0

Pencil Blog post 13 Jun 2019