Knowledge Search


×
 

2012-04 Security Bulletin: Junos: Corrupted MPLS payload causing in_checksum() errors leading to RE switchover

  [JSA10504] Show Article Properties


Legacy Advisory Id:
PSN-2012-04-546
Product Affected:
This issue can affect all Junos routers with MPLS enabled.
Problem:

Receipt of a high rate of corrupted Pseudo Wire (l2vpn or l2circuit) control words from an adjacent node, which are diverted to the RE without policing, can cause the RE to become overloaded, resulting in an RE switchover (or in single RE environments, a reboot). In extreme cases, the corrupted stream can also trigger sudden FPC reboots due to keepalive failure. Receipt of a high rate of Router Alert (label = 1) MPLS packets with a corrupted payload -- which are typically constrained within an MPLS domain but can traverse multiple physical hops -- can also cause an RE switchover or FPC reboot.

While both cases were originally found to be caused by bad hardware, the possibility of malicious exploit still exists.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.
Solution:

The issue of excessive impact to the RE due to bad packets was caused by an inefficiency in error logging. The fix here is to replace the inefficient code with a call to a debug function that increments a counter, and for the first occurrence of corruption, stores the packet and the backtrace in memory. This coding change significantly reduces the load from packet corruption.

All Junos OS software releases built on or after 2012-01-18 have fixed this specific issue. Releases containing the fix specifically include: 10.4R9, 11.2R5, 11.3R4, 11.4R1, and all subsequent releases (i.e. all releases built after 11.4R1).

This issue is being tracked as PR 699835 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:

For Pseudo Wire environments (eg. L2VPN) receiving corrupted control-words:
     [edit routing-instances l2vpn protocols l2vpn]
     +     no-control-word;

For Pseudo Wire or other MPLS environments receiving Router Alert labels with corrupt payloads, remove internally generated labels from the forwarding-table:
     [edit routing-options]
     +   forwarding-table {
     +       export no-label-1;
     +   }
     [edit policy-options policy-statement no-label-1]
     +    term 1 {
     +        from protocol mpls;
     +        then reject;
     +    }
     +    term 2 {
     +        then accept;
     +    }

Note that this will not work if MPLS packets are received on fxp0 for explicit zero packets, however such scenarios are very rare. Also, the 'protocol mpls' criterion is only supported in Junos 10.2 and later.

Caution must be used when filtering MPLS labels. For example, labels should not be filtered on P routers, and mixed vendor environments may have additional limitations on label filtering. Filtering MPLS labels can also cause MPLS traceroute to timeout at the egress node. Always test routing policy changes before deploying them widely throughout your network.
Implementation:


How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
Related Links:
CVSS Score:
5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."