Knowledge Search


×
 

2018-07 Security Bulletin: Junos OS: RPD daemon crashes due to receipt of crafted BGP NOTIFICATION messages (CVE-2018-0037)

  [JSA10871] Show Article Properties


Product Affected:
This issue affects Junos OS 15.1, 15.1F5, 15.1F6, 15.1F7.
Problem:
Junos OS routing protocol daemon (RPD) process may crash and restart or may lead to remote code execution while processing specific BGP NOTIFICATION messages.
By continuously sending crafted BGP NOTIFICATION messages, an attacker can repeatedly crash the RPD process causing a sustained Denial of Service.

Due to design improvements, this issue does not affect Junos OS 16.1R1, and all subsequent releases.

This issue only affects the receiving BGP device and is non-transitive in nature.

Affected releases are Juniper Networks Junos OS:
15.1F5 versions starting from 15.1F5-S7 and all subsequent releases;
15.1F6 versions starting from 15.1F6-S3 and later releases prior to 15.1F6-S10;
15.1F7 versions
15.1 versions starting from 15.1R5 and later releases, including the Service Releases based on 15.1R5 and on 15.1R6 prior to 15.1R6-S6 and 15.1R7;

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2018-0037.
Solution:
The following software releases have been updated to resolve this specific issue: 15.1F6-S10, 15.1R6-S6, 15.1R7 and all subsequent releases.

This fix has been proactively committed into Junos OS 15.1X53-D67, 16.1R3-S8, 16.1R4-S8, 16.1R5-S4, 16.1R6-S3, 16.1R7, 16.2R1-S6, 16.2R2-S5, 16.2R3, 17.1R1-S7, 17.1R2-S6, 17.1R3, 17.2R1-S5, 17.2R2-S3, 17.2R3, 17.2X75-D100, 17.2X75-D110, 17.3R1-S4, 17.3R2-S1, 17.3R3, 17.4R1-S2, 17.4R2, 18.1R2, 18.2R1, 18.2X75-D5 and all subsequent releases.

This issue is being tracked as PR 1340689 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL
Workaround:
While there are no known workarounds for this issue, the risk associated with this issue can be mitigated by limiting the BGP connection only from trusted peers.
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
2018-07-11: Initial Publication.
Related Links:
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
The Juniper SIRT would like to would like to acknowledge and thank Internet2 and The Indiana University GlobalNOC for responsibly disclosing this vulnerability.