Knowledge Search


×
 

Certain crafted IPv6 packets cause the kernel to "leak" memory and eventually crash (CERT/CC VU#294036)

  [JSA10364] Show Article Properties


Legacy Advisory Id:
PSN-2006-06-017
Product Affected:
All releases of JUNOS Internet Software built prior to May 10, 2006.
Problem:

Certain IPv6 packet headers are processed prior to being able to determine if the packet is valid. If an invalid packet addressed to one of the router's own addresses is received and discarded after the headers are processed, the memory buffer occupied by the packet is not released. Repeated reception of such packets can eventually consume all kernel packet memory and cause the router to crash.

This issue is documented within Juniper as PR/67593.

This issue affects all releases of JUNOS Internet Software running on M-series, T-series, and J-series routers and built prior to May 10, 2006. No other Juniper Networks products are affected by this vulnerability.

 Confidentiality Notice
The information in this bulletin is provided by Juniper Networks for the sole use of employees and registered customers. This information must not be disclosed to other persons without the express consent of Juniper Networks.

 Acknowledgement:
Juniper Networks wishes to thank the staff of Polish Telecom R&D for discovering and reporting this problem.
Solution:

The JUNOS IPv6 code has been corrected to release the memory occupied by the invalid packet in all cases. All releases of JUNOS software built on or after May 10, 2006 include the corrected code.

Corrected code can be downloaded using the following URLs:

  • JUNOS 6.3 Service Release
    • https://download.juniper.net/software/junos/regressed/6.3/jinstall-6.3-20060613.0-domestic-signed.tgz
    • https://download.juniper.net/software/junos-export/regressed/6.3/jinstall-6.3-20060613.0-export-signed.tgz
    J-series and FIPS software are not available for JUNOS 6.3
  • JUNOS 6.4 Service Release
    • https://download.juniper.net/software/junos/regressed/6.4/jinstall-6.4-20060523.1-domestic-signed.tgz
    • https://download.juniper.net/software/junos-export/regressed/6.4/jinstall-6.4-20060523.1-export-signed.tgz
    J-series and FIPS software are not available for JUNOS 6.4
  • JUNOS 7.0 Service Release
    • https://download.juniper.net/software/junos/regressed/7.0/jinstall-7.0-20060523.0-domestic-signed.tgz
    • https://download.juniper.net/software/junos/regressed/7.0/junos-jseries-7.0-20060523.0-domestic.tgz
    • https://download.juniper.net/software/junos-export/regressed/7.0/jinstall-7.0-20060523.0-export-signed.tgz
    • https://download.juniper.net/software/junos-export/regressed/7.0/junos-jseries-7.0-20060523.0-export.tgz
    FIPS software is not available for JUNOS 7.0
  • JUNOS 7.1 Service Release
    • https://download.juniper.net/software/junos/regressed/7.1/jinstall-7.1-20060523.0-domestic-signed.tgz
    • https://download.juniper.net/software/junos/regressed/7.1/junos-jseries-7.1-20060523.0-domestic.tgz
    • https://download.juniper.net/software/junos-export/regressed/7.1/jinstall-7.1-20060523.0-export-signed.tgz
    • https://download.juniper.net/software/junos-export/regressed/7.1/junos-jseries-7.1-20060523.0-export.tgz
    FIPS software is not available for JUNOS 7.1
  • JUNOS 7.2 Service Release
    • https://download.juniper.net/software/junos/regressed/7.2/junos-jseries-7.2-20060511.0-fips.tgz
    • https://download.juniper.net/software/junos/regressed/7.2/jinstall-7.2-20060511.0-domestic-signed.tgz
    • https://download.juniper.net/software/junos/regressed/7.2/junos-jseries-7.2-20060511.0-domestic.tgz
    • https://download.juniper.net/software/junos-export/regressed/7.2/jinstall-7.2-20060511.0-export-signed.tgz
    • https://download.juniper.net/software/junos-export/regressed/7.2/junos-jseries-7.2-20060511.0-export.tgz

  • JUNOS 7.3R4.3
    • https://download.juniper.net/software/junos-fips/7.3R4.3/junos-juniper-7.3R4.3-fips.tgz
    • https://download.juniper.net/software/junos/7.3R4.3/jinstall-7.3R4.3-domestic-signed.tgz
    • https://download.juniper.net/software/junos/7.3R4.3/junos-jseries-7.3R4.3-domestic.tgz
    • https://download.juniper.net/software/junos-export/7.3R4.3/jinstall-7.3R4.3-export-signed.tgz
    • https://download.juniper.net/software/junos-export/7.3R4.3/junos-jseries-7.3R4.3-export.tgz

  • JUNOS 7.4R3.4
    • https://download.juniper.net/software/junos-fips/7.4R3.4/junos-juniper-7.4R3.4-fips.tgz
    • https://download.juniper.net/software/junos/7.4R3.4/jinstall-7.4R3.4-domestic-signed.tgz
    • https://download.juniper.net/software/junos/7.4R3.4/junos-jseries-7.4R3.4-domestic.tgz
    • https://download.juniper.net/software/junos-export/7.4R3.4/jinstall-7.4R3.4-export-signed.tgz
    • https://download.juniper.net/software/junos-export/7.4R3.4/junos-jseries-7.4R3.4-export.tgz

  • JUNOS 7.5 Service Release
    • https://download.juniper.net/software/junos/regressed/7.5/junos-jseries-7.5-20060511.0-fips.tgz
    • https://download.juniper.net/software/junos/regressed/7.5/jinstall-7.5-20060511.0-domestic-signed.tgz
    • https://download.juniper.net/software/junos/regressed/7.5/junos-jseries-7.5-20060511.0-domestic.tgz
    • https://download.juniper.net/software/junos-export/regressed/7.5/jinstall-7.5-20060511.0-export-signed.tgz
    • https://download.juniper.net/software/junos-export/regressed/7.5/junos-jseries-7.5-20060511.0-export.tgz
    Please see caveat section below.
  • JUNOS 7.6R1.10
    • https://download.juniper.net/software/junos/7.6R1.10/junos-jseries-7.6R1.10-fips.tgz
    • https://download.juniper.net/software/junos/7.6R1.10/jinstall-7.6R1.10-domestic-signed.tgz
    • https://download.juniper.net/software/junos/7.6R1.10/junos-jseries-7.6R1.10-domestic.tgz
    • https://download.juniper.net/software/junos-export/7.6R1.10/jinstall-7.6R1.10-export-signed.tgz
    • https://download.juniper.net/software/junos-export/7.6R1.10/junos-jseries-7.6R1.10-export.tgz
    Please see caveat section below.
  • JUNOS 8.0B1.2 (Registered Beta test customers only)
    • https://download.juniper.net/software/junos/beta/8.0B1.2/junos-jseries-8.0B1.2-fips.tgz
    • https://download.juniper.net/software/junos/beta/8.0B1.2/jinstall-8.0B1.2-domestic-signed.tgz
    • https://download.juniper.net/software/junos/beta/8.0B1.2/junos-jseries-8.0B1.2-domestic.tgz
    • https://download.juniper.net/software/junos-export/beta/8.0B1.2/jinstall-8.0B1.2-export-signed.tgz
    • https://download.juniper.net/software/junos-export/beta/8.0B1.2/junos-jseries-8.0B1.2-export.tgz
Implementation:

Customers are strongly encouraged to upgrade their JUNOS software to a release built on or after May 10, 2006.

As an alternative, if IPv6 processing is not required, remove family inet6 from all interface configurations.

If IPv6 processing is required, construct a firewall filter that permits only required IPv6 header types and apply that filter as an input filter on all interfaces that are enabled for IPv6 processing, or apply the filter to the router's loopback interface(s). Please note that a firewall filter cannot completely protect the router, due to the structure of IPv6 packets. The presence of optional IPv6 headers precludes the ability to locate key fields which the filter would need to process.

 Caveats:
If you are running JUNOS version 7.5 software built prior to March 27, 2006, and you configure a firewall filter to provide partial protection against this vulnerability, you may encounter a kernel crash due to PR/71327. In this case, you must change all "reject" actions in the IPv6 firewall filter to "discard" actions. The fix for PR/71327 is included in all JUNOS 7.5 software built on or after March 27, 2006.

If you install the corrected code for JUNOS 7.5 or 7.6, you might encounter an unrelated memory leak, due to PR/73763. If you encounter this bug, either remove your IPv6 output firewall filters or change all "discard" actions to "reject" actions to avoid this bug. This bug will be fixed in future JUNOS releases.

If you install the corrected code for JUNOS 7.5 or 7.6 and you use BGP multipath, you might also encounter a crash of the routing process, due to PR/73523. This bug will be fixed in future JUNOS releases. Until then, the only work-around is to disable BGP multi-path.

 Disclaimer:
Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of noninfringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time.
Related Links:
Risk Level:
High
Risk Assessment:
This vulnerability is a remotely exploitable Denial of Service. An attacker requires no logon access or other privileges on the router.