[nsp-sec] Junos: rpd crash due to crafted BGP UPDATE (CVE-2017-2313)
Chris Morrow
morrowc at ops-netman.net
Sat Apr 15 13:09:18 EDT 2017
At Sat, 15 Apr 2017 08:52:48 -0700,
Damian Menscher <damian at google.com> wrote:
>
> ----------- nsp-security Confidential --------
>
> I noticed that Juniper's latest set of advisories includes an rpd crash
> with no description of the bug or workaround listed [0]. Does anyone have
> more details on this vulnerability? Pushing a new Junos release is risky,
> but without any known workaround it doesn't seem like there's an
> alternative.
>
yes :( mostly thankfully we were already planning an upgrade,
but... clearly not at: "oh crap!" pace. I haven't heard other folk
(whom I've asked) pipe up about possibly update content either :(
> Also, please update this thread if you hear of exploits in the wild (the
> advisory says there aren't any, but I assume the patch can be reverse
> engineered). Given it's Easter weekend, it wouldn't surprise me if many
> networks remain vulnerable for a while.
>
> [0] https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10778
>
> Damian
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
More information about the nsp-security
mailing list