Knowledge Search


×
 

2018-08 Out of Cycle Security Bulletin: Junos platforms vulnerable to SegmentSmack attack [VU#962459], and Juniper response to FragmentSmack [VU#641765]

  [JSA10876] Show Article Properties


Product Affected:
The SegmentSmack attack affects all products and platforms running Junos OS
Problem:
On August 6, 2018, the CERT/CC published VU#962459​ describing a Linux kernel TCP implementation denial of service vulnerability.  This issue, informally called "SegmentSmack​", relies upon a crafted set of TCP segments over an established TCP session to create ​a resource denial of service.​  Internal testing has confirmed that both Linux-based (WRL, CentOS, RHEL) systems and FreeBSD-based products and platforms running Junos OS are vulnerable to the SegmentSmack attack (CVE-2018-5390).

Crafted sequences of TCP/IP packets may allow a remote attacker to create a denial of service (DoS) condition on routing engines (REs) running Junos OS.  The attack requires a successfully established two-way TCP connection to an open port.  The rate of attack traffic is lower than typical thresholds for built-in Junos OS distributed denial-of-service (DDoS) protection, so additional configuration is required to defend against these issues on affected platforms.  Refer to the WORKAROUND section for additional guidance.

An additional exploit called "FragmentSmack", published on August 14, 2018, utilizes IP fragmentation — similar to previous "frag attacks" — to create another type of resource denial of service.  Juniper had previously resolved several IP fragmentation attacks, and internal testing has shown no evidence of service impact to Junos OS from the FragmentSmack attack.

These issues were discovered by an external security researcher.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

These issues have been assigned:
Solution:
Platforms confirmed to be vulnerable to the SegmentSmack attack include, but are not limited to:
  • MX Series (MX80, MX480 tested)
  • QFX Series (QFX5100, QFX5200, QFX10008 tested)
  • NFX Series (NFX150, NFX250 tested)
  • PTX Series (PTX10008​ tested)
  • SRX Series (SRX340 tested)
  • vMX, vSRX, vQFX, vPTX, etc.

Other platforms are assumed to also be affected by the SegmentSmack attack, but are still under investigation and continue to be tested by the Juniper SIRT.

Since the SegmentSmack attack requires a successfully established two-way TCP connection to an open port, attacks cannot be performed using spoofed IP addresses. Implementing Security Best Current Practice (BCP) to limit the exploitable attack surface of critical infrastructure networking equipment will mitigate this issue.  Refer to the WORKAROUND section for additional guidance.

As software releases are updated to resolve this specific issue, this Juniper Security Advisory (JSA) will be updated.
 
Workaround:
Since the the TCP segment attack (SegmentSmack) cannot be performed using spoofed IP addresses, the issue can be mitigated by using access lists or firewall filters to limit access to the device only from trusted hosts.  Enable source address validation such as uRPF to further defend against attacks that rely upon an established two-way TCP session to a reachable open port.

Internal testing has shown that Junos OS is not vulnerable to IP fragmentation attacks (FragmentSmack).  However, Juniper Networks recommends that, whenever possible, customers utilize security best current practices to drop all fragmented IP packets destined to the device's control plane.

Additionally, the following IDP anomaly signatures may reduce the risk to devices from these types of attacks:​

Anomaly Name: TCP:ERROR:REASS-MEMORY-OVERFLOW
Description: This protocol anomaly triggers when it detects a TCP Reassembler that has exhausted all allocated memory for storing unacknowledged packets
Recommended action: Drop
Test String: REASS_MEMORY_OVERFLOW


Note: Memory threshold for the IDP-reassembler can be configured using IDP sensor configuration.

Anomaly Name: TCP:ERROR:FLOW-MEMORY-EXCEEDED
Description: This protocol anomaly triggers when it detects that the TCP Reassembler has too many packets stored in memory for a connection. This can indicate an anti-IDS attack. This anomaly can be ignored in sniffer mode or in case of asymmetric routing.
Recommended action: Drop
Test String: FLOW_MEMORY_OVERFLOW


Note: Memory threshold for per flow in-memory segments can be configured using IDP sensor configuration.
 
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/
 
Modification History:
  • 2018-08-06: Initial Publication
  • 2018-08-07: Clarified that all platforms are assumed to be vulnerable until tested otherwise.  Also clarified that the TCP segment attack cannot be performed using spoofed IP addresses.
  • 2018-08-14: Updated title and added statement about Junos OS not being vulnerable to FragmentSmack. Updated WORKAROUND section to include general suggestions on mitigating fragmentation attacks.
Related Links:
CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."