Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

A number of NAT/PAT devices effectively defeat the DNS source port randomization feature that was implemented to address DNS Cache Poisoning (CERT/CC VU#800113, CVE-2008-1447).

0

0

Article ID: JSA10403 SECURITY_ADVISORIES Last Updated: 05 Mar 2017Version: 3.0
Legacy Advisory Id:
PSN-2009-03-252
Product Affected:
DXOS 5.x
JUNOS 8.x, 9.x
JUNOSe 8.x, 9.x
ScreenOS 5.x, 6.x
Problem:
A vulnerability related to DNS Cache Poisoning was recently disclosed (see Juniper Networks PSN-2008-06-040). In order to address this vulnerability, operating systems were modified to use random source ports for all DNS queries originated on the device. While deploying this modified code, it was discovered that Network Address Translation (NAT) counteracted the random selection of source ports. This results from NAT implementations that map the source port to a statically-defined port, sequentially-assigned port, or some other easily-predicted NAT port.
Solution:
Upgrade is recommended to the following or later releases:
DXOS: 5.3.7
JUNOS: 8.5 (E-EOL); 9.0R4; 9.1R3; 9.2R2; 9.3R1; 9.4R1
JUNOSe: 8.1.4; 8.2.4; 9.0.2; 9.1.2; 9.2.1; 9.3.0; 10.0.0
ScreenOS: 5.4r12; 6.0r8; 6.1r4; 6.2r1

DXOS:
- Default behavior has been changed. Source port randomization is now turned on by default.

JUNOSe:
- Default behavior has been changed. Source port randomization is now turned on by default.

JUNOS:
- A new configuration option has been defined that is required to be set to enable source port randomization. Please refer to product documentation for details.

ScreenOS:
- Interface-based DIP pools: source port randomization is turned on by default.
- Policy-based DIP pools: a new keyword has been defined that is required to be set to enable source port randomization. Please refer to product documentation for details.
Modification History:
Modification History:

2017-03-05: Category restructure.

Severity Level:
Medium
Severity Assessment:
Lack of source port randomization could break the fix for PSN-2008-06-040.
Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search