[j-nsp] JUNOS vulnerability with malformed TCP packets

Jonas Frey jf at probe-networks.de
Tue Jan 12 12:22:05 EST 2010


i have tried exploiting this on various junos version (8.2, 8.5, 9.2),
all of them crashed immediatly at tcp_input() and rebooted after dumping
the core.

However 7.4 seems to be not vulnerable. Atleast the version i have here
(7.4I20071211_1225_pgoyette) is not affected. Therefor i guess
everything below this (atleast) is not vulnerable...that would explain
why juniper had 6.x removed from the advisory on vulnerable releases.
(But 7.x is still listed...).
I still have 6.x somewhere...if anyone is interessted i can try this on
a spare unit.

One more thing: I was able to firewall this on all releases. So ACL's do
work for some extend. Also you need an open port for this to work (BGP

Jonas Frey

On Fri, 2010-01-08 at 17:41, Florian Weimer wrote:
> * Barry Greene:
> > The information is in the security advisory.
> Are the PSNs the security advisory you are referring to?
> I didn't see a security advisory as such, and I'm wondering if I'm
> missing anything.

More information about the juniper-nsp mailing list