Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

TCP does not adequately validate segments before updating timestamp value (CERT/CC VU#637934)



Article ID: JSA10349 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
Product Affected:
All Juniper Networks M/T/J/E-series routers.

Two techniques for increasing the performance of TCP are using TCP timestamps and using Protection Against Wrapped Sequence Numbers (PAWS), both of which are described in RFC 1323. When enabling both of these features, certain TCP implementations may be vulnerable to a denial of service (DoS) condition from attacks with packets using specially-crafted timestamp values.

Any TCP-based protocol or service running on a JUNOS- or JUNOSe-based platform is subject to this vulnerability.

Currently, both JUNOS- and JUNOSe-based platforms will use TCP timestamps if the connection peer requests them. Additionally, JUNOS- (but not JUNOSe-) based platforms will request the use of TCP timestamps when initiating a connection.

This issue is tracked internally as CQ/65716 for JUNOSe and PR/58335 for JUNOS software.


Customers can mitigate the potential vulnerability associated with the use of TCP timestamps and the PAWS feature of TCP in both JUNOS and JUNOSe software as follows:

1) JUNOSe (E-series routers):

Starting with JUNOSe Release 6.1.2, a new configuration option allows you to disable negotiation of RFC 1323 PAWS functionality. The CLI command for the new, per-VR global configuration option is as follows:

    ERX(config)# [no] ip tcp paws-disable
2) JUNOS (M/T/J-series routers):

All JUNOS software Releases 6.4 and later built on or after June 2, 2005 contain modified code that provides expanded validation checks for TCP sequence numbers. In addition, two new hidden configuration statements have been introduced to control the use of RFC 1323 TCP features. In Release 6.4 these statements are located at the [edit system] hierarchy level; in Releases 7.0 and later, they are located at the [edit system internet-options] hierarchy level.

This statement disables RFC 1323 PAWS TCP extensions. By default, they are enabled.

    set no-tcp-rfc1323
This statement disables RFC 1323 TCP extensions. By default, they are enabled. If this option is configured, the option that disables RFC 1323 PAWS TCP extensions must also be configured.

These configuration options are hidden and therefore you must type them in their entirety when adding them to the router's configuration.


Juniper Networks strongly recommends that customers take full advantage of all the security tools available in JUNOS and JUNOSe software, including the use of MD5 checksums and source address (SA) validation for TCP sessions.

For customers who require additional protection, Juniper Networks recommends installing a version of software that includes the changes to the TCP protocol. Contact the Juniper Networks Technical Assistance Center for availability and download information for JUNOSe software with the code changes. All JUNOS software Releases 6.4 and later built on or after June 2, 2005 include the modified code.

Severity Level:
Severity Assessment:
An attacker can interfere with router TCP sessions when RFC 1323 TCP Timestamps and PAWS extensions are negotiated for sessions without security protections such as MD5 authentication. Risk assessment ranges from low for Juniper Networks E-series routers to moderate for Juniper Networks M/T/J-series routers.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search