Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

JUNOS kernel cores when it receives an crafted TCP option.



Article ID: JSA10419 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 6.0
Legacy Advisory Id:
Product Affected:
All JUNOS Devices
The JUNOS kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port. A router receiving this specific TCP packet will crash and reboot.

The JUNOS packet filter cannot explicitly match this specifically crafted packet. A combination of anti-spoof and TCP filtering using best common practices can limit the exposure which will mitigate the vulnerability.

This issue was encountered via vendor interoperability configurations on a live network through normal network operations. Further internal investigation determined the underlying vulnerability and exploit.
Customers are recommended to upgrade JUNOS through planned and methodical upgrade processes.

All JUNOS software releases built on or after January 28, 2009 have fixed this specific issue. This specifically includes 8.1S2, 8.5-20090226-SR, 9.0-20090612-SR, 9.1R4, 9.2-20090130-SR, 9.2R4, , 9.3-20090223-SR, 9.3-20090212-SR, 9.3R3, 9.4R1, and all subsequent releases.

PR Reference for this issue is PR 410970

There are no totally effective workarounds for this specifically crafted TCP packet. Risk can be minimized by using best common practices (BCPs) which limit TCP packets which are destined to the JUNOS device. The crafted TCP packet is spoofable, requiring IETF BCP 38 "anti-spoofing" techniques to prevent a spoofed packet from entering a network.

Note: If IETF BCP 38 style anti-spoofing is not feasible for all traffic, focus on anti-spoofing for the IP addresses used for the control plane, management plane, and link addresses. Packets transiting the router have no impact. The packet must be destined for an interface on the router which is listening to TCP.
CVSS Score:
7.8. (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Severity Level:
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search