PSN-2012-04-548

This issue can affect all SRX Series Services Gateways for the Data Center (SRX-1400, SRX-3400, SRX-3600, SRX-5600, SRX-5800) configured to process IPv6 traffic flows.

Certain IPv6 traffic flowing through SRX Series Services Gateways for the Data Center (SRX-1400,SRX-3400,SRX-3600,SRX-5600,SRX-5800) can trigger an invalid memory access that could lead to invalid statistics, or the possibility of memory corruption. The memory corruption could cause the flowd process to crash and reset. The flowd process recovers immediately, but causes a temporary interruption in traffic forwarding.

This issue only occurs when IPv6 flow sessions are in use (eg. 'set security forwarding-options family inet6 mode flow-based' in the config).

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

When an IPv6 flow session is freed on the Central Point (CP), it updates the CP session statistics for the corresponding SPU. In some situations, the update overwrote other memory causing incorrect statistics or memory corruption, which in turn triggered a flowd core. Junos now uses dedicated code for extending session counter updates during CP session allocation and freeing.

All Junos OS software releases built on or after 2011-12-16 have fixed this specific issue. Releases containing the fix specifically include: 10.4R7, 11.1R5, 11.2R2, 11.4R1, and all subsequent releases (i.e. all releases built after 11.4R1). Earlier releases of Junos OS are unaffected by this vulnerability.

This issue is being tracked as PR 672794 and is visible on the Customer Support website.

Note: SRX Series services gateways with session limit screening configured, for example:

[screen ids-option XXX limit-session source-ip-based or destination-ip-based]

should refer to IPv6 related PR 728802 before deciding on an upgrade strategy.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Disabling IPv6 processing will mitigate the issue, but may not be an acceptable workaround for most customers. For example:

user@junos# set security forwarding-options family inet6 mode drop

A reboot is required to make this configuration change effective.

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)

Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."