Knowledge Search


×
 

2017-04 Security Bulletin: Junos: ICMPv6 PTB atomic fragment denial of service attack (CVE-2016-10142)

  [JSA10780] Show Article Properties


Product Affected:
This issue can affect any product or platform running Junos OS with IPv6 enabled.
Problem:
An issue was discovered in the IPv6 protocol specification, related to ICMP Packet Too Big (PTB) messages.  The security implications of IP fragmentation have been discussed at length in various RFCs. An attacker can leverage the generation of IPv6 atomic fragments to trigger the use of fragmentation in an arbitrary IPv6 flow and can subsequently perform any type of fragmentation-based attack against legacy IPv6 nodes that do not implement RFC 6946.  However, even nodes that already implement RFC 6946 can be subject to DoS attacks as a result of the generation of IPv6 atomic fragments.

Since most nodes are configured to reject all packets that contain fragment headers, as recommended in RFC 6192, if a Junos OS router emits atomic fragments (containing IPv6 Fragment Extension Headers) towards its legitimate communication peer, traffic may be dropped by the peer causing a secondary denial of service condition.

This issue is triggered by ICMPv6 traffic destined to the device.  Transit IPv6 traffic will not cause this issue to occur, and IPv4 is unaffected by this vulnerability.

This issue has been assigned CVE-2016-10142.
 
Solution:
Junos OS now follows the recommendations from RFC 8021, section 4, to prevent this issue.  When such a PTB message is received, it will be ignored unless Junos OS is explicitly instructed to allow atomic fragments via a sysctl setting.

The following software releases have been updated to resolve this specific issue: Junos OS 11.4R13-S4, 12.1X46-D67, 12.3X48-D50, 14.1R8-S3, 14.1R9, 14.1X53-D121, 14.1X53-D43, 14.2R4-S8, 14.2R7-S6, 14.2R8, 15.1F2-S16, 15.1F5-S7, 15.1F6-S5, 15.1F7-S1, 15.1R4-S7, 15.1R5-S2, 15.1R6, 15.1X49-D80, 15.1X53-D231, 15.1X53-D57, 15.1X53-D64, 15.1X53-D70, 16.1R3-S3, 16.1R4-S1, 16.1R5, 16.2R1-S3, 16.2R2, 17.1R1, 17.2R1, and all subsequent releases.

This issue is being tracked as PR 1250832 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities  fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
 
Workaround:
Malicious exploitation of this vulnerability may be mitigated by employing anti-spoofing IP address filters and unicast reverse-path-forwarding (uRPF) checking to limit spoofed ICMPv6 traffic from entering your network. See BCP 38/RFC 2827 for additional details. 
 
Implementation:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service  Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
 
Modification History:
2017-04-12: Initial publication
2017-04-27: Additional fixed releases
2017-08-07: Additional fixed releases




Related Links:
CVSS Score:
8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."