[j-nsp] JUNOS vulnerability with malformed TCP packets

Jonas Frey jf at probe-networks.de
Tue Jan 12 15:11:25 EST 2010


Tim,

firewall filters help somewhat. But still someone can spoof this packet
and make it appear from one of your bgp peers, customers, management
network, etc etc.
There is no 100% effective way to protect against it.

E.g. if you peer with 10.0.0.22 (your upstream) and you are 10.0.0.21
and i know this (from traceroute etc) i can make the packet appear to
come from 10.0.0.22 and your firewall will let it through...bang. BGP is
most likely an open port (testing the first 1024 ports roughly takes a
second)...
Spoofing tcp is easy....
(i did write a small .c poc myself and it works with spoofing.)
Also if you have a looking glass up somewhere thats a good point to get
peer ips etc. from. (hint: dont print peer ips)
Or if you are peering at an IXP...think about memberlists.

I can confirm 7.6R4.3 (latest 7.x code officially available) is
vulnerable, too.

I just tried 7.5R1.12...and its not vulnerable.

So after all the problematic code must have been introduced in 7.6.


Regards,
Jonas

On Tue, 2010-01-12 at 20:49, Tim Eberhard wrote:
> Jonas,
> 
> Correct firewall filters *will* block it as the firewall filter will
> keep the tcp port even responding. However if your router has a tcp
> port open to a specific subnet IP's on that subnet will be able to
> exploit. In other words there is no specific firewall filter that can
> be put in place to completely protect the router from this attack
> (i.e. don't accept a tcp packet with these flags). 
> 
> Best practices are obviously to configure firewall filters to only
> allow trusted networks to access the router via telnet/ssh/etc and
> only trusted hosts to connect via BGP. If those are in place your
> router is much less vulnerable. While it is a major issue it is one
> that should not be a problem if you have your firewall filters locked
> down properly.
> 
> Just my 2 cents.
> 
> -Tim Eberhard
> 
> 
> On Tue, Jan 12, 2010 at 11:22 AM, Jonas Frey <jf at probe-networks.de>
> wrote:
>         Hello,
>         
>         i have tried exploiting this on various junos version (8.2,
>         8.5, 9.2),
>         all of them crashed immediatly at tcp_input() and rebooted
>         after dumping
>         the core.
>         
>         However 7.4 seems to be not vulnerable. Atleast the version i
>         have here
>         (7.4I20071211_1225_pgoyette) is not affected. Therefor i guess
>         everything below this (atleast) is not vulnerable...that would
>         explain
>         why juniper had 6.x removed from the advisory on vulnerable
>         releases.
>         (But 7.x is still listed...).
>         I still have 6.x somewhere...if anyone is interessted i can
>         try this on
>         a spare unit.
>         
>         One more thing: I was able to firewall this on all releases.
>         So ACL's do
>         work for some extend. Also you need an open port for this to
>         work (BGP
>         etc).
>         
>         Regards,
>         Jonas Frey
>         
>         On Fri, 2010-01-08 at 17:41, Florian Weimer wrote:
>         > * Barry Greene:
>         >
>         > > The information is in the security advisory.
>         >
>         > Are the PSNs the security advisory you are referring to?
>         >
>         > I didn't see a security advisory as such, and I'm wondering
>         if I'm
>         > missing anything.
>         
>         
>         
>         _______________________________________________
>         juniper-nsp mailing list juniper-nsp at puck.nether.net
>         https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list