Knowledge Search


×
 

[Archive] Firewall filters applied to loopback interface do not affect traffic on other interfaces

  [JSA10317] Show Article Properties


Legacy Advisory Id:
PSN-2003-11-001
Product Affected:
This Product Support Notice affects all T-series routers running Junos Release 5.7 and later
Problem:
In Junos Release 5.7, firewall filters applied to the loopback interface on T-series routers do not affect traffic on other interfaces. Therefore, firewall filters designed to protect the Route Engine are ineffective.

This problem was documented in PR/40451.
Solution:
Junos Internet software was modified to ensure that filters applied to the loopback interface control traffic on all interfaces on the router.

The fix is available in Junos 5.7R4, 6.0R3, and 6.1R2 and later releases.
Workaround:
Any firewall filters applied to the loopback interface should be explicitly applied to all interfaces on the router.
Implementation:
Juniper has corrected the problem in Junos 5.7R4, 6.0R3, and 6.1R2 and later releases. 
 
Modification History:
2018-03-22: update article with fix information.
Related Links:
CVSS Score:
n/a
Risk Level:
Critical
Risk Assessment:
Firewall filters applied to the loopback interface are ineffective in controlling traffic on other interfaces. If no firewall filter is explicitly applied to the other interfaces on the router, the router is vulnerable to numerous forms of attack.