Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Buffer overflow vulnerability in PPP (CVE-2006-4304)

0

0

Article ID: JSA10365 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
PSN-2006-11-017
Product Affected:
All Juniper Networks J-series routing platforms running JUNOS software prior to release 7.6.
Problem:
Juniper J-series routing platforms running JUNOS software prior to release 7.6 are susceptible to the vulnerability described in CVE-2006-4304 and FreeBSD Security Advisory FreeBSD-SA-06:18.ppp. When processing LCP configuration options received from the remote host, the PPP driver fails to correctly validate the length of the PPP options, and data can be read or written beyond the allocated kernel memory buffer. This can cause the kernel to panic.

Juniper J-series routing platforms which are running JUNOS release 7.5 or earlier releases and are using the PPP IPCP option negotiate-address are affected by this vulnerability. The negotiate-address option is used to negotiate an IP address assignment from the remote end, and is configured under the family inet stanza, as in the following example:
interfaces {
    so-0/2/0 {
        unit 0 {
            family inet {
                negotiate-address;
            }
        }
    }               
}
Juniper J-series routing platforms running JUNOS release 7.6 or higher, or which do not use the negotiate-address option, are not susceptible to this vulnerability. No other Juniper platforms are affected by this vulnerability.

This issue is tracked internally as PR/76427.
Solution:
Customers with J-series routing platforms running JUNOS release 7.5 or earlier can avoid this vulnerability by avoiding the use of the PPP IPCP option negotiate-address.
Implementation:
If it is not possible to remove the negotiate-address from the router configuration, customers are encouraged to upgrade to JUNOS release 7.6 or higher.
Severity Level:
Low
Severity Assessment:
An attacker can cause a Juniper J-series routing platform to crash if the device is running JUNOS 7.5 or earlier releases and is configured for IP address assignment negotiation from the remote end. Risk assessment is low for Juniper Networks Juniper Networks J-series routing platforms.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search