Knowledge Search


JUNOS kernel cores when it receives an crafted TCP option.

  [JSA10419] Show Article Properties

Legacy Advisory Id:
Product Affected:
All JUNOS Devices
The JUNOS kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port. A router receiving this specific TCP packet will crash and reboot.

The JUNOS packet filter cannot explicitly match this specifically crafted packet. A combination of anti-spoof and TCP filtering using best common practices can limit the exposure which will mitigate the vulnerability.

This issue was encountered via vendor interoperability configurations on a live network through normal network operations. Further internal investigation determined the underlying vulnerability and exploit.
Customers are recommended to upgrade JUNOS through planned and methodical upgrade processes.

All JUNOS software releases built on or after January 28, 2009 have fixed this specific issue. This specifically includes 8.1S2, 8.5-20090226-SR, 9.0-20090612-SR, 9.1R4, 9.2-20090130-SR, 9.2R4, , 9.3-20090223-SR, 9.3-20090212-SR, 9.3R3, 9.4R1, and all subsequent releases.

PR Reference for this issue is PR 410970

There are no totally effective workarounds for this specifically crafted TCP packet. Risk can be minimized by using best common practices (BCPs) which limit TCP packets which are destined to the JUNOS device. The crafted TCP packet is spoofable, requiring IETF BCP 38 "anti-spoofing" techniques to prevent a spoofed packet from entering a network.

Note: If IETF BCP 38 style anti-spoofing is not feasible for all traffic, focus on anti-spoofing for the IP addresses used for the control plane, management plane, and link addresses. Packets transiting the router have no impact. The packet must be destined for an interface on the router which is listening to TCP.
Related Links:
CVSS Score:
7.8. (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Risk Level:
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."