Knowledge Search


×
 

IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability (CVE-2016-1409)

  [JSA10749] Show Article Properties


Product Affected:
This issue may affect any product or platform running Junos OS or JUNOSe.
Problem:
A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than discarded.  The crafted packet, destined to the router, will then be processed by the routing engine (RE).  A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out.

Note that this is similar to the router's response to any purposeful malicious IPv6 ND flood destined to the router. The difference is that the crafted packet identified in the vulnerability is such that the forwarding controllers/ASICs should disallow this traffic from reaching the RE for further processing. Additionally, due to the routable nature of the crafted IPv6 ND packet, the attack may be launched from beyond the local broadcast domain.

This issue only affects systems with IPv6 enabled. The attack vector for the vulnerability relies on IPv6 Neighbor Discovery processing. If IPv6 is not enabled, then this issue is not applicable.

This issue has been assigned CVE-2016-1409.
 
Solution:
Internal investigation has uncovered two separate issues with IPv6 Neighbor Discovery processing:  
  1. QFX5100 exceptions transit IPv6 ND traffic to RE, allowing for a partial local DoS attack
    • ​PR 1183115 logged to resolve this issue in Junos OS 14.1X53-D28, 14.1X53-D30, 14.1X53-D40, 15.1R4, 15.1R5, 16.1R2, 16.2R1, and all subsequent releases.

  2. Junos and JUNOSe routers fail to discard non-RFC4861-compliant IPv6 ND traffic destined to the router, allowing for a partial remote DoS attack (CVE-2016-1409)
    • QFX10000 Series: Junos PR 1183124 has resolved this issue in Junos OS 15.1X53-D105, 15.1X53-D60, 16.1R2, and all subsequent releases.
    • QFX5100: Junos PR 1220209 has resolved this issue in Junos OS 14.1X53-D43, 15.1R7, 16.1R5, 17.1R2, 17.2R1, and all subsequent releases.
    • MX Series (Trio): Junos PR 1188939 has resolved this issue for systems with Trio chipsets in Junos OS 13.3R10, 14.1R2-S7, 14.1R4-S12, 14.1R8, 14.2R7-S1, 14.2R8, 15.1F2-S10, 15.1F5-S4, 15.1F6-S1, 15.1F7, 15.1R3-S4, 15.1R4-S2, 15.1R5, 16.1R1-S3, 16.1R2, 16.2R1, 17.1R1, and all subsequent releases.  See KB25385 for a mapping of chipset types and PFE modules.
    • MX Series (I-Chip): Junos PR 1220207 has resolved this issue in Junos OS 16.1R5, 16.2R2, 17.1R2, 17.2R1, and all subsequent releases.
    • SRX Series: Junos PR 1191838 has resolved this issue in Junos OS 12.1X46-D60, 12.1X47-D45, 12.3X48-D40, 15.1X49-D60, and all subsequent releases.
    • PTX Series: Junos PR 1207527 has resolved this issue in Junos OS 15.1F5-S4, 15.1F6-S2, 16.1R2, 16.1R3, 16.2R1, 17.1R1, and all subsequent releases.
    • EX Series: Junos PR 1220211 has resolved this issue in Junos OS 15.1R6, 16.1R4, and all subsequent releases.
    • M Series: Junos PR 1220213 has resolved this issue in Junos OS 13.3R10, 14.1R9, 14.2R8, 15.1R5-S1, 15.1R6, 15.1X53-D210, 15.1X53-D63, 15.1X53-D70, and all subsequent releases.
    • JUNOSe CQs 199315, 199316, and 119432 to address hotfixes and service releases for all E Series platforms and forwarding controllers (FC). Hotfixes are available for JUNOSe FC3 (LM10a, LM10U, LM10ADV) and FC2 (LM4) line cards. Contact JTAC to obtain the hotfixes for your specific software release and platform.


Note: On the SRX Series, the 'icmpv6-malformed' screen can be configured to discard non-compliant IPv6 ICMP/ND traffic as follows:
 
set security screen ids-option <screen name> icmp icmpv6-malformed

Juniper Networks will update this advisory once fixes are available for other products and platforms.

Refer to KB16613 for additional information about the Juniper Networks SIRT Quarterly Security Bulletin Publication Process."
 
Workaround:
While no complete workaround currently exists for this issue, especially for adjacent network attacks from the local broadcast domain, security best current practices (BCPs) of filtering all ND traffic at the edge, destined to network infrastructure equipment, should be employed to limit the malicious attack surface of the vulnerability.

Interface and/or control plane firewall filters may be used to stop propagation of NDP traffic beyond connected devices:
  • Interface firewall filters, applied to each ingress interface, defend local and downstream devices from attack
  • Control plane firewall filters, applied to the 'lo0' loopback interface, defend the local router from attack.

The following set of Junos OS firewall filters are provided as starting points and should only be used as example firewall filters when considering methods of defending against remote denial of service attacks using IPv6 ND.

Devices that support filtering on 'hop-limit' can utilize the following interface filter design:
 
user@junos# show firewall family inet6 NDP
filter NDP {
    term PERMIT_LOCAL_ICMP {
        from {
            next-header icmp6;
            hop-limit 255;
        }
        then {
            count PERMIT_LOCAL_ICMP;
            accept;
        }
    }
    term REJECT_NETWORK_ICMP {
        from {
            next-header icmp6;
            icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement redirect ];
        }
        then {
            count REJECT_NETWORK_ICMP;
            discard;
        }
    }
    term PERMIT_ALL {
        then accept;
    }
}

and/or Protect_RE control plane filter:
 
user@junos# show firewall family inet6 IPV6_PROTECT_RE
filter IPV6_PROTECT_RE {
    term ICMPV6_TRUSTED {
        from {
            source-prefix-list {
                IPV6_TRUSTED_PREFIX_LIST;
            }
            next-header icmp6;
        }
        then accept;
    }
    term IPV6_ND_LOCAL {
        from {
            next-header icmp6;         
            hop-limit 255;
        }
        then accept;
    }
    term ICMPV6 {
        from {
            next-header icmp6;
            icmp-type [ echo-request echo-reply time-exceeded destination-unreachable packet-too-big parameter-problem ];
        }
        then accept;
    }
    term OTHER {
        then {
            count DROP;
            discard;
        }
    }
}​
Devices that do not support filtering on 'hop-limit' will require a slightly more complicated interface filter design:
 
user@junos# show firewall family inet6 NDP
filter NDP {
    term PERMIT_VALID_ICMP {
        from {
            destination-address {
                fe80::/10;              
                ff02::/123;
                ff02:0:0:0:0:1:ff00::/104;
            }
        }
        then {
            count PERMIT_VALID_ICMP;
            accept;
        }
    }
    term PERMIT_VALID_ICMP_LOCAL {
        from {
            source-address {
                x:x:x:x::/64;
            }
            destination-address {
                x:x:x:x::/64;
            }
            next-header icmp6;
        }
        then {
            count PERMIT_VALID_ICMP_LOCAL;
            accept;
        }
    }
    term REJECT_INVALID_ICMP {
        from {
            next-header icmp6;
            icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement redirect ];
        }
        then {
            count REJECT_INVALID_ICMP;
            discard;
        }
    }
}

and Protect_RE filter design:
​
user@junos# show firewall family inet6 IPV6_PROTECT_RE
filter IPV6_PROTECT_RE {
    term ICMPV6_TRUSTED {
        from {
            source-prefix-list {
                IPV6_TRUSTED_PREFIX_LIST;
            }
            next-header icmp6;
        }
        then accept;
    }
    term IPV6_ND {
        from {
            destination-address {
                fe80::/10;
                ff02::/123;
                ff02:0:0:0:0:1:ff00::/104;
            }
        }
        then accept;
    }
    term IPV6_ND_LOCAL {
        from {
            source-address {
                x:x:x:x::/64;
            }
            destination-address {
                x:x:x:x::/64;
            }
            next-header icmp6;
        }
        then accept;
    }
    term ICMPV6 {
        from {
            next-header icmp6;
            icmp-type [ echo-request echo-reply time-exceeded destination-unreachable packet-too-big parameter-problem ];
        }
        then accept;
    }
    term OTHER {
        then {
            count DROP;
            discard;
        }
    }
}

Additionally, the SRX can block ICMPv6 packets with invalid field values (per RFC4861) by a security screen option:

set security screen ids-option <screen name> icmp icmpv6-malformed
 
Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service  Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
 
Modification History:
2016-06-03: Initial publication
2016-06-06: Clarified impact of each issue. Highlighted difference between edge and control plane firewall filter.
2016-06-07: Minor tweaks to sample firewall filters.
2016-06-29: Added SRX screen mitigation.
2016-07-06: SRX not vulnerable with screen configured.  PRs for other products pending on a confirmed fix for the issue.
2016-08-08: Confirmed through multi-vendor discussion and review of RFC4861 that forwarding non-compliant ND traffic is not, itself, in violation of the RFC.
2016-08-08: Hotfixes now available for JUNOSe.
2016-08-17: Minor clarification of JUNOSe CQs for hotfixes vs. service releases.
2016-09-07: Simplified list of Junos OS PRs and available fixes.
2016-10-05: More PRs for more Junos platforms.
2017-04-18: Full set of Junos OS fixed releases updated.
2017-06-26: Refreshed fixed releases for all platforms.


Related Links:
CVSS Score:
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)​
Risk Level:
Medium
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."