[j-nsp] JUNOS vulnerability with malformed TCP packets

[Jonas Frey]

Hi,

i havent heard about any attacks in the wild, yet.

As i wrote...you cant protect yourself against this tcp bug. 
(I dont think anyone out there has a box running with all ports closed
and is using only console to manage it...).
Once you run BGP, OSPF, SSH, FTP or whatever you are vulnerable even if
its firewalled. Spoofing does the trick.
You can use RPF to some extend...but you would have to trust your
upstream(s) that they also employ this everywhere....and their upstreams
and so on. Somewhere someone will probably not use RPF and spoofed
packets will make their way.

If you are running 7.6 upwards and your junos is released before jan
2009 you should upgrade/downgrade immediatly....thats the only real
solution.

Regards,
Jonas

On Tue, 2010-01-12 at 21:46, André Luiz Bernardes wrote:
> Ok, the problem is real and the tcp bug looks like the major one. But
> has anyone heard about ISPs having problems with this kind of attack?
> There are a lot of ways out there to protect the infrastructure IPs as
> well spoofing techniques. Would be very helpful to know how these
> vulnerabilities are being used by hackers. According to Juniper there
> is no information about ISPs having real problems so far. We are going
> to upgrade about 80 Juniper routers on next few days. Not willing to
> be the first victim...
> 
> Andre
> 
> > Em jan 12, 2010 6:29 PM, "Jonas Frey"
> > <jf at probe-networks.de>escreveu:
> > 
> > Tim,
> > 
> > firewall filters help somewhat. But still someone can spoof this
> > packet
> > and make it appear from one of your bgp peers, customers, management
> > network, etc etc.
> > There is no 100% effective way to protect against it.
> > 
> > E.g. if you peer with 10.0.0.22 (your upstream) and you are
> > 10.0.0.21
> > and i know this (from traceroute etc) i can make the packet appear
> > to
> > come from 10.0.0.22 and your firewall will let it through...bang.
> > BGP is
> > most likely an open port (testing the first 1024 ports roughly takes
> > a
> > second)...
> > Spoofing tcp is easy....
> > (i did write a small .c poc myself and it works with spoofing.)
> > Also if you have a looking glass up somewhere thats a good point to
> > get
> > peer ips etc. from. (hint: dont print peer ips)
> > Or if you are peering at an IXP...think about memberlists.
> > 
> > I can confirm 7.6R4.3 (latest 7.x code officially available) is
> > vulnerable, too.
> > 
> > I just tried 7.5R1.12...and its not vulnerable.
> > 
> > So after all the problematic code must have been introduced in 7.6.
> > 
> > 
> > Regards,
> > Jonas
> > 
> > 
> > On Tue, 2010-01-12 at 20:49, Tim Eberhard wrote: > Jonas, > >
> > Correct firewall filters *will* bloc...