Urgency is now increased as an exploit has been released regarding a report has been received from Juniper under bulletin PSN-2010-01-623 that a crafted malformed TCP field option in the TCP header of a packet will cause the JUNOS kernel to core (crash). In other words the kernel on the network device (gateway router) will crash and reboot if a packet containing this crafted option is received on a listening TCP port.
While our team does not usually release vulnerability alerts, this one caught our attention and as we have a large number of clients with devices running JUNOS, we felt this insight would be appropriate.
The JUNOS kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port. The packet cannot be filtered with JUNOS’s firewall filter. A router receiving this specific TCP packet will crash and reboot. [CVS base score of 7.8]
Affected Devices
It is basically all of them save the more recent version. If you’ve installed a device with a JUNOS release version released later then 1/28/09, this issue is already corrected. Apparently the original issue and its correction did not conceive of this problem as a security vulnerability, and thus the criticality of applying the patch was not initially understood until this week.
• JUNOS 9.x
• JUNOS 7.x
• JUNOS 8.x
Please note the versions below were removed from the bulletin today, 01/07/09. This is likely because, as Juniper states, these are end of life versions of the OS (meaning likely still vulnerable if you happen to be running them, but out of scope for Juniper because from their standpoint these should already have been upgraded).
• JUNOS 6.x
• JUNOS 5.x
• JUNOS 3.x
• JUNOS 4.x
The Fix
All JUNOS software releases built on or after January 28, 2009 have fixed this specific issue. This specifically includes 8.1S2, 8.5-20090227-SR, 9.0-20090612-SR, 9.1R4, 9.2-20090130-SR, 9.2R4, , 9.3-20090227-SR, 9.3-20090212-SR, 9.3R3, 9.4R1, and all subsequent releases.
There are no totally effective workarounds for this specifically crafted TCP packet. Risk can be minimized by using best common practices (BCPs) which limit TCP packets which are destined to the JUNOS device. The crafted TCP packet is spoofable, requiring IETF BCP 38 “anti-spoofing” techniques to prevent a spoofed packet from entering a network. Note: If IETF BCP 38 style anti-spoofing is not feasible for all traffic, focus on anti-spoofing for the IP addresses used for the control plane, management plane, and link addresses. Packets transiting the router have no impact. The packet must be destined for an interface on the router which is listening to TCP.
Conclusion
Until yesterday, and exploit had not been released. Thanks to the “security firm” praetorianperfect, there is now a proof of concept exploit as well as a detailed video demonstrating the attack. Now that every high school student in America knows how to exploit this vulnerability, you may want to move this higher on your priority list.
If you need assistance, please don’t hesitate to call us or reach out to the Rook partner who distributed this Rook Insight release to you.
Call us at 888.712.9531, email info[at]rookconsulting.net, or keep up-to-date on critical issues, alerts, and intelligence by following us on Twitter and subscribe to Rook Insight to receive real-time Insight Intelligence Alerts via email.
Related posts:
No comments yet
No comments yet.
RSS feed for comments on this post. TrackBack URL
Leave a comment