Juniper Networks has modified several of its software products to include improved DNS forgery resilience mechanisms as suggested by Internet drafts and other sources.
Consult the following table to determine if your Juniper Networks product is susceptible to this vulnerability and what action is required to remedy the issue.
Product |
Vulnerable? |
Action Required |
Network Firewall running ScreenOS software release 5.1 or higher |
Yes |
Upgrade to ScreenOS release 5.4r10, 6.0r5a, 6.1R2, or higher, or disable the Proxy DNS Address Splitting service if you have previously enabled it. ScreenOS software releases prior to release 5.1 do not implement the Proxy DNS Address Splitting service; therefore those releases are not vulnerable and no action is required. |
JUNOS Enhanced Services software running on J-series service routers |
Yes |
Upgrade to a software release built on or after May 23, 2008, or disable DNS services |
JUNOS software running on Juniper EX-series switch products |
No |
No action required; this product does not include DNS services |
All other JUNOS software running on M-series, T-series, MX-series, TX-series, or J-series routing platforms |
No |
No action required; this product does not include DNS services |
JUNOSe software running on E-series platforms |
No |
No action required; this product does not include DNS services |
Service Deployment System (SDX) |
No |
Consult the provider of the underlying operating system on which the SDX application is installed for any additional information |
Session and Resource Control (SRC-PE running on C-series appliances) |
No |
DNS services are not enabled by default |
Steel-Belted Radius (application) |
No |
Consult the provider of the underlying operating system on which the SBR application is installed for any additional information |
Steel-Belted Radius (network appliance) |
No |
No action required; DNS services are not enabled |
WAN Accelerators (WX) |
No |
No action required; this product does not include DNS services |
Data Center Accelerators (DX) |
No |
No action required; although this product includes DNS services, it acts only as a proxy for domain names not explicitly configured on the device. Since no results are cached, it is not susceptible to this vulnerability. |
Secure Access Products (SSL/VPN) |
No |
No action required
NOTE:In some situations, the Windows Secure Access Manager (WSAM) will pass DNS requests to the underlying Windows operating system. Therefore, we urge customers to upgrade all Windows Mobile and Windows client systems with the latest patches. |
Intrusion Detection (IDP) |
No |
No action required; this product does not include DNS services |
Network Systems Manager (NSM and NSMXpress) |
No |
No action required; these products do not include DNS services |
Unified Access Control (UAC) |
No |
No action required; this product does not include DNS services |
Circuit-to-Packet Gateway |
No |
No action required; this product does not include DNS services |
Security Threat Response Manager (STRM) |
No |
No action required; this product does not include DNS services |