Knowledge Search


×
 

2018-01 Security Bulletin: Junos OS: Malicious LLDP crafted packet leads to privilege escalation, denial of service. (CVE-2018-0007)

  [JSA10830] Show Article Properties


Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1.
Problem:

An unauthenticated network-based attacker able to send a maliciously crafted LLDP packet to the local segment, through a local segment broadcast, may be able to cause a Junos device to enter an improper boundary check condition allowing a memory corruption to occur, leading to a denial of service. Further crafted packets may be able to sustain the denial of service condition. Score: 6.5 MEDIUM (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Further, if the attacker is authenticated on the target device receiving and processing the malicious LLDP packet, while receiving the crafted packets, the attacker may be able to perform command or arbitrary code injection over the target device thereby elevating their permissions and privileges, and taking control of the device. Score: 7.8 HIGH (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

An unauthenticated network-based attacker able to send a maliciously crafted LLDP packet to one or more local segments, via LLDP proxy / tunneling agents or other LLDP through Layer 3 deployments, through one or more local segment broadcasts, may be able to cause multiple Junos devices to enter an improper boundary check condition allowing a memory corruption to occur, leading to multiple distributed Denials of Services. These Denials of Services attacks may have cascading Denials of Services to adjacent connected devices, impacts network devices, servers, workstations, etc. Further crafted packets may be able to sustain these Denials of Services conditions. Score 6.8 MEDIUM (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H)

Further, if the attacker is authenticated on one or more target devices receiving and processing these malicious LLDP packets, while receiving the crafted packets, the attacker may be able to perform command or arbitrary code injection over multiple target devices thereby elevating their permissions and privileges, and taking control multiple devices. Score: 7.8 HIGH (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Additional details from ongoing research have resulted in the following significant findings.

  • On routing platforms, such as MX Series devices where L2CPD is present, and LLDPD is not present, where no CLI stanza is present, if the maliciously crafted broadcast packet is received by the system, the L2CPD daemon cores, then the L2CPD daemon restarts.  There is no CPU DoS.  A sustained process DoS condition can exist if repeat packets are received by the system causing L2CPD to continue to restart, core, and generate core files.  If core files are not automatically deleted, the file system can fill up and cause a full denial of service condition to occur to the system.
  • On routing platforms, such as MX Series devices where L2CPD is present, and LLDP is not present, where the CLI stanza "set protocols lldp interface all" is present, if the maliciously crafted broadcast packet is received by the system, the L2CPD daemon cores, then the L2CPD daemon restarts with a sustained CPU DoS without further packets being received by the system.   A sustained process and CPU DoS condition can exist if repeat packets are received by the system causing L2CPD to continue to restart, core, and generate core files.  If core files are not automatically deleted, the file system can fill up and cause a full denial of service condition to occur to the system.
  • On switching platforms, such as EX Series devices where LLDP-MED is configured but the service is disabled, where no CLI stanza is present, if the maliciously crafted broadcast packet is received by the system, the EX Series device will load the l2cpd daemon, and then the l2cpd daemon will core.
  • On switching platforms, such as EX Series devices where LLDP is supported, L2CPD is not supported and STP is enabled, if the maliciously crafted broadcast packet is received by the system, the EX Series device will load the l2cpd daemon, and this will trigger a CPU Denial of Service condition.
  • On security platforms, such as SRX Series devices, the l2cpd daemon may be present as a latent/zombied process, but there is no impact to the SRX Series device if the maliciously crafted broadcast packet is received by the system, regardless of daemon presence, or configuration or CLI stanza.  This issue is proactively resolved in SRX releases.

Affected releases are Juniper Networks Junos OS:

  • 12.1X46 versions prior to 12.1X46-D71;
  • 12.3 versions prior to 12.3R12-S7;
  • 12.3X48 versions prior to 12.3X48-D55;
  • 14.1 versions prior to 14.1R8-S5, 14.1R9;
  • 14.1X53 versions prior to 14.1X53-D46, 14.1X53-D107;
  • 14.2 versions prior to 14.2R7-S9, 14.2R8;
  • 15.1 versions prior to 15.1F2-S17, 15.1F5-S8, 15.1F6-S8, 15.1R5-S7, 15.1R7;
  • 15.1X49 versions prior to 15.1X49-D90;
  • 15.1X53 versions prior to 15.1X53-D65;
  • 16.1 versions prior to 16.1R4-S6, 16.1R5;
  • 16.1X65 versions prior to 16.1X65-D45;
  • 16.2 versions prior to 16.2R2;
  • 17.1 versions prior to 17.1R2.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during an external security research.

This issue has been assigned CVE-2018-0007.

Solution:

The following software releases have been updated to resolve this specific issue: 12.1X46-D71, 12.3X48-D55, 12.3R12-S7, 12.3X48-D55, 14.1R8-S5, 14.1R9, 14.1X53-D46, 14.2R7-S9, 14.2R8, 15.1F2-S17, 15.1F5-S8, 15.1F6-S8, 15.1R7, 15.1X49-D90, 15.1X53-D65, 16.1R4-S6, 16.1R5, 16.1X65-D45, 16.2R2, 17.1R2, 17.2R1, and all subsequent releases.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

This issue is being tracked as 1252823 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).

Workaround:

1. Configure the system to not load the LLDPD or L2CPD daemon as appropriate using the following stanza in CLI config.

set system processes lldpd-service disable
or
set system processes l2cpd-service disable
 


Additional protocols L2CPD daemon supports include RSTP, MSTP, VSTP, ERP,  xSTP and ERP protocols.  After issuing set system processes l2cpd-service disable, RSTP, MSTP, VSTP, ERP,  xSTP and ERP protocols will cease to operate.

2. Implement off-system, IDP or other firewall filters for the broadcast addressed LLDP packet itself from reaching LLDP proxy agents, or devices receiving and processing LLDP packets.

3. Implement packet filters to block LLDP packets with BROADCAST address from propagating in the network.

Additionally, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device via all means to only trusted, administrative networks, hosts and users.

 

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
2018-01-10: Initial publication
2018-01-11: Added CLI config stanza to disable LLDP daemon as workaround.  Added SRX-Series into affected.  SRX HE is unaffected.
2018-01-12: Added clear detail that SRX HE is unaffected at top in description as example, configuration stanza is not required for exploitability, only presence of daemon(s) running on system.
2018-01-17: Removed 14.1X53-D50; this is not a valid release.
2018-02-05: Updated JSA for clarification around routing, switching and security platforms; as well as additional test details resulting in findings for these platforms.
2018-02-14: Updated JSA for clarification on findings to MX Series.  Updated JSA to read "CPU" instead of "Memory" for DoS impact to EX Series devices.  Updated the workaround section for LLDPD and L2CPD CLI stanza, and to filter Broadcast addressed LLDP on network as a workaround.
Related Links:
CVSS Score:
7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
We would like to would like to acknowledge and thank,
  • UK's National Cyber Security Centre (NCSC)