Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IPv6 Route Header Type 0 (RH-0) vulnerability in JUNOS (CERT/CC VU#267289)

0

0

Article ID: JSA10369 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 4.0
Legacy Advisory Id:
PSN-2007-04-034
Product Affected:
All current releases of JUNOS.

JUNOSe and ScreenOS are not affected.
Problem:
The processing of IPv6 Type 0 Routing Headers can lead to denial of service exploits, as discussed in a recent publicly published paper (see link below). Current "Best Practices" encourage disabling processing of RH0 extension headers, since they are of extremely limited value.

All current releases of JUNOS are susceptible to this vulnerability.

The following packet types may trigger the vulnerability:
  • packets that are destined for the router itself and contain the RH0 extension header
  • transit packets in which the first extension header is a hop-by-hop extension (Type 0) and the hop-by-hop extension is followed by an RH0 extension header (Type 43)
This vulnerability affects all J-series, M-series and T-series routers. JUNOSe and ScreenOS are not affected by this vulnerability.
Solution:
A firewall filter can be used to silently discard all IPv6 datagrams that contain the RH0 extension. The following firewall filter will cause packets containing the RH0 extension header to be silently discarded.
firewall {
    family inet6 {
        filter filter_v6_rh {
            term 0 {
                from {
                    next-header [hop-by-hop routing];
                }
                then {
                    discard;
                }
            }
        }
    }
}
(In this firewall filter, it is preferred to use the keywords hop-by-hop and routing to identify the header types to match, rather than using numeric values 0 and 43 respectively.)

This filter should be applied to every logical interface on the router or, alternatively, applied to the forwarding table. For instructions on how to apply a firewall filter to an interface or to a forwarding table, refer to the URLs below in the Related Links section below.
Implementation:
This filter will cause all packets in which the first extension header is a hop-by-hop or routing options header to be discarded; this includes both transit packets and packets addressed to the router itself. Note that the impact of stopping hop by hop packets may have consequences for IPv6 operations such MLD and Router Alert.
Severity Level:
High
Severity Assessment:
IPv6 routing headers can be crafted such that they contain routing headers specifying that a packet should keep bouncing between two hosts, thus creating a Distributed Denial of Service (DDoS) attack on the link.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search