Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Denial of Service caused by stalled TCP sessions (FreeBSD-SA-05:15.tcp)

0

0

Article ID: JSA10351 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
PSN-2005-08-002
Product Affected:
All Juniper Networks M/T/J/E-series routers.
Problem:
FreeBSD Security Advisory, FreeBSD-SA-05:15.tcp, describes two vulnerabilities of some TCP implementations which can expose them to attacks that stall TCP sessions, resulting in a denial-of-service (DoS) condition.

The first of these problems is described as "inadequate sequence number checking when using TCP timestamps". The risk of exposure to Juniper Networks products and the mitigation procedures associated with this problem are already described in JTAC Technical Bulletin PSN-2005-06-003.

The second problem described in the Security Advisory occurs when a TCP packet with the SYN flag set is accepted for established connections, allowing certain TCP options to be overwritten. An attacker with knowledge of the local and remote IP and port numbers associated with a connection can overwrite these TCP options and stall the TCP session. Any TCP-based protocol or service running on a JUNOS- or JUNOSe-based platform is subject to this vulnerability.

This second issue, overwriting TCP options when SYN flag set, is tracked internally as Defect 68800 for JUNOSe software and PR/61097 for JUNOS software.

Solution:
Changes have been made in the JUNOSe and JUNOS software to mitigate the potential vulnerability with overwriting TCP options when the SYN flag is set.

In addition, Juniper Networks strongly recommends that customers take full advantage of all the security tools available in JUNOS and JUNOSe software, including the use of MD5 checksums and source address (SA) validation for TCP sessions.

Implementation:
For JUNOSe software (used on E-series routers), customers should contact the Juniper Networks Technical Assistance Center to get information about downloading software versions that contain the software changes.

All JUNOS software (for M/T/J-series routers) for Release 6.4 built on or after July 29, 2005 contains modified code that provides expanded TCP validation checks. All JUNOS software Releases 7.0 to 7.2 built on or after July 27, 2005 contain modified code that provides expanded TCP validation checks. All JUNOS software Releases 7.3 and later built on or after July 2, 2005 also contain the modified code.

Severity Level:
Medium
Severity Assessment:
An attacker can interfere with router TCP sessions by injecting TCP packets with the SYN flag set if sessions do not use security protections such as MD5 authentication. Risk assessment is moderate for Juniper Networks M/T/J/E-series routers.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search