[j-nsp] Juniper and OpenSSH exploits
Pekka Savola
pekkas at netcore.fi
Tue Sep 23 18:53:43 EDT 2003
On Tue, 23 Sep 2003, Jeff Aitken wrote:
> On Tue, Sep 23, 2003 at 10:58:40AM +0300, Pekka Savola wrote:
> > Are you really running your junipers without a filter running on lo0.0,
> > protecting TCP/22, etc? If such are implemented properly, this issue is
> > not all that intresting..
>
> Is it not true that a single packet (i.e., a packet with an
> appropriately spoofed source-IP such that it will make it through
> the filter) can cause problems? Or is two-way conversation between
> the router and the attacker required in order to exploit the
> vulnerability?
>
> If a single packet is all that's required then a simple source-IP
> based filter in front of the routing engine isn't enough to protect
> yourself in this case.
The question was already answered, but I'll answer the meta-question on
operational practice.
You really, really should have filters at your border routers which block
anyone from using your addresses (_especially_ your
management/infrastructure addresses) as source. Otherwise you'll have
just WAY too many ways to exploit your routers (consider e.g. SNMP UDP
vulnerabilities, etc.).
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the juniper-nsp
mailing list