Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2018-07 Security Bulletin: Junos OS: RPD daemon crashes due to receipt of crafted BGP NOTIFICATION messages (CVE-2018-0037)

0

0

Article ID: JSA10871 SECURITY_ADVISORIES Last Updated: 25 Oct 2018Version: 2.0
Product Affected:
This issue affects Junos OS 15.1, 15.1F5, 15.1F6, 15.1F7.
Problem:
Junos OS routing protocol daemon (RPD) process may crash and restart or may lead to remote code execution while processing specific BGP NOTIFICATION messages.
By continuously sending crafted BGP NOTIFICATION messages, an attacker can repeatedly crash the RPD process causing a sustained Denial of Service.

Due to design improvements, this issue does not affect Junos OS 16.1R1, and all subsequent releases.

This issue only affects the receiving BGP device and is non-transitive in nature.

Affected releases are Juniper Networks Junos OS:
15.1F5 versions starting from 15.1F5-S7 and all subsequent releases;
15.1F6 versions starting from 15.1F6-S3 and later releases prior to 15.1F6-S10;
15.1F7 versions
15.1 versions starting from 15.1R5 and later releases, including the Service Releases based on 15.1R5 and on 15.1R6 prior to 15.1R6-S6 and 15.1R7;

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2018-0037.
Solution:
The following software releases have been updated to resolve this specific issue: 15.1F6-S10, 15.1R6-S6, 15.1R7 and all subsequent releases.

This fix has been proactively committed into Junos OS 15.1X53-D67, 16.1R3-S8, 16.1R4-S8, 16.1R5-S4, 16.1R6-S3, 16.1R7, 16.2R1-S6, 16.2R3, 17.1R1-S7, 17.1R2-S6, 17.1R3, 17.2R1-S5, 17.2R2-S3, 17.2R3, 17.2X75-D100, 17.2X75-D110, 17.3R1-S4, 17.3R2-S1, 17.3R3, 17.4R1-S2, 17.4R2, 18.1R2, 18.2R1, 18.2X75-D5 and all subsequent releases.

This issue is being tracked as PR 1340689 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL
Workaround:
While there are no known workarounds for this issue, the risk associated with this issue can be mitigated by limiting the BGP connection only from trusted peers.
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
2018-07-11: Initial Publication.
2018-10-25: Removing 16.2R2-S5 from proactively committed list, it does not change the original resolved in list.
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
The Juniper SIRT would like to would like to acknowledge and thank Internet2 and The Indiana University GlobalNOC for responsibly disclosing this vulnerability.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search