2018-01 Security Bulletin: Junos OS: Malicious LLDP crafted packet leads to privilege escalation, denial of service. (CVE-2018-0007)

  [JSA10830] Show Article Properties


Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1.
Problem:
  1. A Junos OS device, configured to accept LLDP traffic on a local segment is vulnerable to an attacker who is able to send a maliciously crafted LLDP packet to the same local segment. This may cause the device to enter an improper boundary check condition leading to memory corruption. Certain commands issued to the device by an authenticated administrator or trusted service may lead to a Denial of Service against the LLDPD, or L2CPD service daemon. Further crafted packets sent by an attacker may be able to sustain the Denial of Service condition as long as these commands are re-issued to the device. Score: 3.5 LOW (CVSS:3.0/AV:A/AC:L/PR:N/ UI:R/S:U/C:N/I:N/A:L)
    1. Further, if the attacker is authenticated on the target device which is receiving and processing the malicious LLDP packet, the attacker may be able to perform command or arbitrary code injection over the target device thereby elevating their permissions and privileges and taking full control of the device. Score: 7.0 HIGH (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
  2. A Junos OS device, configured to accept LLDP traffic on a local segment is vulnerable to an attacker who is able to send a maliciously crafted LLDP packet to one or more local segments, via LLDP proxy / tunneling agents or Layer 2 through Layer 3 deployments.  This may cause multiple devices to enter an improper boundary check condition leading to memory corruption. Certain commands issued to the device(s) by an authenticated administrator or trusted service may lead to one or more Denial of Service conditions against the LLDPD, or L2CPD service daemon(s). Further crafted packets sent by an attacker may be able to sustain the Denial of Service condition as long as these commands are re-issued to the device.  Depending on which method in which LLDP packets are forwarded through the network, multiple Denial of Service attacks may have a cascading effect to adjacent connected devices resulting in denials of service to adjacent network devices, servers, workstations, etc. Further crafted packets may be able to sustain these Denial of Service conditions. Score 3.1 LOW (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L)
    1. Further, if the attacker is authenticated on one or more target devices which is receiving and processing the malicious LLDP packet, the attacker may be able to perform command or arbitrary code injection over one or more target devices thereby elevating their permissions and privileges and taking full control of one or more devices. Score: 7.8 HIGH (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Additional examples from ongoing research have resulted in the following significant findings:

  • On Routing and virtualized Security* platforms, such as MX/PTX and vSRX Series devices where L2CPD is present, if the maliciously crafted packet is received by the system, the L2CPD daemon cores, and then restarts. A sustained process DoS condition to the L2CPD service daemon affecting one or more protocols in use occurs if repeat crafted packets are received by the system and a command is run by an authenticated administrator, or trusted service, leading to L2CPD continuing to core, generating a core file and restarting.  An indication of compromise will show up to 5 core files in rotation for this process timestamped near the same time that command execution is initiated by an attacker, a trusted operator or a trusted service.
  • On Switching and Branch Security* platforms, such as EX/QFX and Branch SRX Series devices where LLDPD is present, if the maliciously crafted packet is received by the system, the LLDPD daemon cores, and then restarts. A sustained process DoS condition to the LLDPD service daemon affecting one or more protocols in use occur if repeat crafted packets are received by the system and a command is run by an authenticated administrator, or trusted service, leading to LLDPD continuing to core, generating a core files and restarting. An indication of compromise will show one or more core files in rotation for this process timestamped near the same time that command execution is initiated by an attacker, a trusted operator or a trusted service.

*High End SRX Series devices are not vulnerable to this exploit.

Affected releases are Juniper Networks Junos OS:

  • 12.1X46 versions prior to 12.1X46-D71;
  • 12.3 versions prior to 12.3R12-S7;
  • 12.3X48 versions prior to 12.3X48-D55;
  • 14.1 versions prior to 14.1R8-S5, 14.1R9;
  • 14.1X53 versions prior to 14.1X53-D46, 14.1X53-D107;
  • 14.2 versions prior to 14.2R7-S9, 14.2R8;
  • 15.1 versions prior to 15.1F2-S17, 15.1F5-S8, 15.1F6-S8, 15.1R5-S7, 15.1R7;
  • 15.1X49 versions prior to 15.1X49-D90;
  • 15.1X53 versions prior to 15.1X53-D65;
  • 16.1 versions prior to 16.1R4-S6, 16.1R5;
  • 16.1X65 versions prior to 16.1X65-D45;
  • 16.2 versions prior to 16.2R2;
  • 17.1 versions prior to 17.1R2.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during an external security research.

This issue has been assigned CVE-2018-0007.

Solution:

The following software releases have been updated to resolve this specific issue: 12.1X46-D71, 12.3X48-D55, 12.3R12-S7, 12.3X48-D55, 14.1R8-S5, 14.1R9, 14.1X53-D46, 14.2R7-S9, 14.2R8, 15.1F2-S17, 15.1F5-S8, 15.1F6-S8, 15.1R7, 15.1X49-D90, 15.1X53-D65, 16.1R4-S6, 16.1R5, 16.1X65-D45, 16.2R2, 17.1R2, 17.2R1, and all subsequent releases.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

This issue is being tracked as 1252823 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).

Workaround:
1. Configure the device to not load the LLDPD or L2CPD daemon as appropriate using the following CLI config stanza.

set system processes lldpd-service disable
or
set system processes l2cpd-service disable


Additional protocols L2CPD daemon supports include RSTP, MSTP, VSTP, ERP,  xSTP and ERP protocols.  After issuing set system processes l2cpd-service disable, RSTP, MSTP, VSTP, ERP,  xSTP and ERP protocols will cease to operate.

2. Configure target interfaces on the device to disable LLDP packet processing:

 
Set protocols lldp interface <interface name> disable

3. On Switching platforms such as EX/QFX Series devices implement packet filters to discard LLDP packets with an EtherType of 0x88cc.

For example:

set firewall family ethernet-switching filter LLDP_EXAMPLE term 1 from ether-type 0x88cc
set firewall family ethernet-switching filter LLDP_EXAMPLE term 1 then discard

 
Workaround #3 does not work on MX Series devices.  MX Series devices should disable LLDP processing, filter off-system, or upgrade to a fixed release.
 
4. Lastly, as a method to reduce the risk of exploitation for this vulnerability, customers may implement off-system IDP and/or Firewall filtering methods such as disallowing LLDP EtherType to propagate completely on local segments, or by filtering broadcast addressed LLDP packets or unicast addressed LLDP packets not originated from trusted sources targeted to trusted destinations.

Additionally, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device via all means to only trusted, administrative networks, hosts and users.
 
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
2018-01-10: Initial publication
2018-01-11: Added CLI config stanza to disable LLDP daemon as workaround.  Added SRX-Series into affected.  SRX HE is unaffected.
2018-01-12: Added clear detail that SRX HE is unaffected at top in description as example, configuration stanza is not required for exploitability, only presence of daemon(s) running on system.
2018-01-17: Removed 14.1X53-D50; this is not a valid release.
2018-02-05: Updated JSA for clarification around routing, switching and security platforms; as well as additional test details resulting in findings for these platforms.
2018-02-14: Updated JSA for clarification on findings to MX Series.  Updated JSA to read "CPU" instead of "Memory" for DoS impact to EX Series devices.  Updated the workaround section for LLDPD and L2CPD CLI stanza, and to filter Broadcast addressed LLDP on network as a workaround.
2018-03-01: Updated problem and workaround solution to clarify affected methods; new CVSS scores and workaround examples for various platform.  Separated the HE to still unaffected, vSRX with L2CPD and Branch SRX to LLDPD
2018-03-06: Minor language modifications for clarity.
 
Related Links:
CVSS Score:
7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
We would like to would like to acknowledge and thank,
  • UK's National Cyber Security Centre (NCSC)