ESB-2018.2278 - [Juniper] Juniper Junos: Denial of service - Remote/unauthenticated 2018-08-07

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2278
       A vulnerability has been identified in Juniper platforms and
                         products running Junos OS
                               7 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Junos
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5390  

Reference:         ESB-2018.2275
                   ESB-2018.2271

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10876

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-08 Out of Cycle Security Bulletin: Junos platforms vulnerable to
SegmentSmack attack [VU#962459]

Article ID:        JSA10876
Last Updated:      06 Aug 2018
Version:           1.0
       
- -------------------------------------------------------------------------------
Product Affected:
This issue affects all products and platforms running Junos OS
Problem:
On August 6, 2018, the CERT/CC published VU#962459 describing a Linux kernel
TCP implementation denial of service vulnerability.  This issue, informally
called "SegmentSmack", relies upon a crafted set of TCP segments over an
established TCP session to create a resource denial of service.  Internal
testing has confirmed that both Linux-based (WRL, CentOS, RHEL) systems and
FreeBSD-based products and platforms running Junos OS are vulnerable to the
SegmentSmack attack (CVE-2018-5390).

Crafted sequences of TCP/IP packets may allow a remote attacker to create a
denial of service (DoS) condition on routing engines (REs) running Junos OS.
The attack requires a successfully established two-way TCP connection to an
open port.  The rate of attack traffic is lower than typical thresholds for
built-in Junos OS distributed denial-of-service (DDoS) protection, so
additional configuration is required to defend against these issues on affected
platforms.  Refer to the WORKAROUND section for additional guidance.

This issue was discovered by an external security researcher.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2018-5390.

Solution:
Platforms confirmed to be vulnerable include, but are not limited to:

  o MX80
  o MX480
  o QFX5100
  o NFX 150/250
  o QFX5100
  o QFX5200
  o QFX10008
  o PTX10008
  o vMX, vSRX, vQFX, vPTX, etc.


Other platforms are still under investigation and continue to be tested by the
Juniper SIRT.

Since the attack requires a successfully established two-way TCP connection to
an open port, security best current practice of limiting the exploitable attack
surface of critical infrastructure networking equipment will mitigate this
issue.  Refer to the WORKAROUND section for additional guidance.

As software releases are updated to resolve this specific issue, this Juniper
Security Advisory (JSA) will be updated.

Workaround:
The TCP segment attack can be mitigated by using access lists or firewall
filters to limit access to the device only from trusted hosts.  Enable source
address validation such as uRPF to defend against attacks that rely upon an
established two-way TCP session to a reachable open port.

Additionally, the following IDP anomaly signatures may reduce the risk to
devices from these types of attacks:

Anomaly Name: TCP:ERROR:REASS-MEMORY-OVERFLOW
Description: This protocol anomaly triggers when it detects a TCP Reassembler
that has exhausted all allocated memory for storing unacknowledged packets
Recommended action: Drop
Test String: REASS_MEMORY_OVERFLOW

Note: Memory threshold for the IDP-reassembler can be configured using IDP
sensor configuration.

Anomaly Name: TCP:ERROR:FLOW-MEMORY-EXCEEDED
Description: This protocol anomaly triggers when it detects that the TCP
Reassembler has too many packets stored in memory for a connection. This can
indicate an anti-IDS attack. This anomaly can be ignored in sniffer mode or in
case of asymmetric routing.
Recommended action: Drop
Test String: FLOW_MEMORY_OVERFLOW

Note: Memory threshold for per flow in-memory segments can be configured using
IDP sensor configuration.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/
Modification History:

  o 2018-08-06: Initial Publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

  o KB16765: In which releases are vulnerabilities fixed-

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

  o CVE-2018-5390: TCP denial of service

CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW2jupmaOgq3Tt24GAQgXuxAAxcJeFWkt/lBWq91/k/RjXLPnP7P9tgx7
Fq37cODIp+DCB/HrMh+r+FHQp+Oc+ywQY4cyLuupfo+iS/wTYpuw/jGBIPLHwvk4
qjN4V6Xr36c54+Bl5PPPUQi9ID6FI3OCBPoI8Ofiu17M1M9UGFIzKlKJPKzHr/EY
+k1csD0P6+WGTFHQl+Btagkxj4n5QN36Pyw5bXGYYpxfEg78sT2wboKdE68Zk2Jg
dcwFeXm4tWkaZUeubl87UIK4+tb7LOKPSt5v+TWmBOcm27GqkEbLaNrZqmCjxlfH
4U6TL9SSs2GaIrvlxqBzYnjlJgshh0CWr0uo7h0mS8UPVvOvGBT0vZCsO7iJ9kmc
0m2/GQ58O1miPO2czq2IfkpkNaaIbSqwQFazrhWXRFOD/hpd+XDoSCzjQpp/aoIM
spuxSrwmPM5p1EpaEMuuG11XVRyrqMCdNB5QG8Udkzz/JmSRpGPBoOn4/d3h4uJ3
2nL7OdwDYoZg+BArDew5jINGb9DP887hBR9YZJDOQ4TirazxjnWXiNCKI2bbPVal
YcWFZr6u3fh4sL0Npi+SkFf3StZDgbotSzXYPJs0WXeUXp+j/xFcBCHQooZ4EDMj
Wq/LNgvH1dZ8CXPRd0BdLPkTLYaU7umYUK4G/YgdZqIpuNHPabgZrfxm4LnQOymV
nuD7xbYg96w=
=r/YJ
-----END PGP SIGNATURE-----

« Back to bulletins