[j-nsp] JUNOS vulnerability with malformed TCP packets

Tim Eberhard xmin0s at gmail.com
Tue Jan 12 14:49:00 EST 2010


Correct firewall filters *will* block it as the firewall filter will keep
the tcp port even responding. However if your router has a tcp port open to
a specific subnet IP's on that subnet will be able to exploit. In other
words there is no specific firewall filter that can be put in place to
completely protect the router from this attack (i.e. don't accept a tcp
packet with these flags).

Best practices are obviously to configure firewall filters to only allow
trusted networks to access the router via telnet/ssh/etc and only trusted
hosts to connect via BGP. If those are in place your router is much less
vulnerable. While it is a major issue it is one that should not be a problem
if you have your firewall filters locked down properly.

Just my 2 cents.

-Tim Eberhard

On Tue, Jan 12, 2010 at 11:22 AM, Jonas Frey <jf at probe-networks.de> wrote:

> Hello,
> i have tried exploiting this on various junos version (8.2, 8.5, 9.2),
> all of them crashed immediatly at tcp_input() and rebooted after dumping
> the core.
> However 7.4 seems to be not vulnerable. Atleast the version i have here
> (7.4I20071211_1225_pgoyette) is not affected. Therefor i guess
> everything below this (atleast) is not vulnerable...that would explain
> why juniper had 6.x removed from the advisory on vulnerable releases.
> (But 7.x is still listed...).
> I still have 6.x somewhere...if anyone is interessted i can try this on
> a spare unit.
> One more thing: I was able to firewall this on all releases. So ACL's do
> work for some extend. Also you need an open port for this to work (BGP
> etc).
> Regards,
> Jonas Frey
> On Fri, 2010-01-08 at 17:41, Florian Weimer wrote:
> > * Barry Greene:
> >
> > > The information is in the security advisory.
> >
> > Are the PSNs the security advisory you are referring to?
> >
> > I didn't see a security advisory as such, and I'm wondering if I'm
> > missing anything.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list