[j-nsp] Juniper and OpenSSH exploits

Pekka Savola pekkas at netcore.fi
Tue Sep 23 18:53:43 EDT 2003

On Tue, 23 Sep 2003, Jeff Aitken wrote:
> On Tue, Sep 23, 2003 at 10:58:40AM +0300, Pekka Savola wrote:
> > Are you really running your junipers without a filter running on lo0.0, 
> > protecting TCP/22, etc?  If such are implemented properly, this issue is 
> > not all that intresting..
> Is it not true that a single packet (i.e., a packet with an
> appropriately spoofed source-IP such that it will make it through
> the filter) can cause problems?  Or is two-way conversation between
> the router and the attacker required in order to exploit the
> vulnerability?
> If a single packet is all that's required then a simple source-IP
> based filter in front of the routing engine isn't enough to protect
> yourself in this case.

The question was already answered,  but I'll answer the meta-question on 
operational practice.

You really, really should have filters at your border routers which block
anyone from using your addresses (_especially_ your
management/infrastructure addresses) as source.  Otherwise you'll have 
just WAY too many ways to exploit your routers (consider e.g. SNMP UDP 
vulnerabilities, etc.).

Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

More information about the juniper-nsp mailing list