2018-08 Out of Cycle Security Bulletin: Junos platforms vulnerable to SegmentSmack attack [VU#962459], and Juniper response to FragmentSmack [VU#641765]

  [JSA10876] Show Article Properties


Product Affected:
The SegmentSmack attack affects the management interface on all products and platforms running Junos OS
Problem:
On August 6, 2018, the CERT/CC published VU#962459​ describing a Linux kernel TCP implementation denial of service vulnerability.  This issue, informally called "SegmentSmack​", relies upon a crafted set of TCP segments over an established TCP session to create ​a resource denial of service (CVE-2018-5390, CVE-2018-6922).

Internal research has confirmed that crafted sequences of TCP/IP packets may allow a remote attacker to create a denial of service (DoS) condition on the management interface of routing engines (REs) running Junos OS.  The attack requires a successfully established two-way TCP connection to an open port.  The rate of attack traffic is lower than typical thresholds for built-in Junos OS distributed denial-of-service (DDoS) protection, so additional configuration is required to defend against these issues on affected platforms.  Refer to the WORKAROUND section for additional guidance.

This issue only affects the management interface of the device (e.g. fxp0).  WAN interfaces are unaffected by this vulnerability on Junos OS.  Additionally, the impact to Junos OS is fundamentally different than the impact from the vulnerabilities tracked as CVE-2018-5390 and CVE-2018-6922 on FreeBSD and Linux.  Juniper Networks resolved the issue of MBUF starvation through crafted TCP segmentation via CVE-2014-6449 in all supported releases of Junos OS.  Refer to JSA10696 for additional information.

Note: An additional exploit called "FragmentSmack", published on August 14, 2018, utilizes IP fragmentation — similar to previous "frag attacks" — to create another type of resource denial of service.  Internal testing has shown that Junos OS is not vulnerable to the FragmentSmack attack.

These issues were discovered by an external security researcher.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

These issues have been assigned:
Solution:
Junos OS is not vulnerable to the SegmentSmack attack on WAN interfaces.  Internal testing has confirmed that there is no impact to WAN interfaces on Junos OS devices.  Testing was performed by sending a high rate of crafted TCP segments to both the BGP port (179/tcp) and SSH port (22/tcp) on various WAN interfaces.  No impact to new or existing BGP adjacencies was observed and SSH connectivity was unaffected.

Engineering will resolve the CPU denial of service condition resulting from the SegmentSmack attack against the management interface of Junos OS platforms in a future release.

Note: Since the SegmentSmack attack requires a successfully established two-way TCP connection to an open port, attacks cannot be performed using spoofed IP addresses. Implementing Security Best Current Practice (BCP) to limit the exploitable attack surface of critical infrastructure networking equipment will mitigate this issue.  Refer to the WORKAROUND section for additional guidance.
 
Workaround:
Since the the TCP segment attack (SegmentSmack) cannot be performed using spoofed IP addresses, the issue can be mitigated by using access lists or firewall filters to limit access to the management interface only from trusted hosts.  Additionally, enabling source address validation such as uRPF will further defend against attacks that rely upon an established two-way TCP session to a reachable open port.

Internal testing has shown that Junos OS is not vulnerable to IP fragmentation attacks (FragmentSmack).  However, Juniper Networks recommends that, whenever possible, customers utilize security best current practices to drop all fragmented IP packets destined to the device's control plane.

Additionally, the following IDP anomaly signatures may reduce the risk to devices from these types of attacks:​

Anomaly Name: TCP:ERROR:REASS-MEMORY-OVERFLOW
Description: This protocol anomaly triggers when it detects a TCP Reassembler that has exhausted all allocated memory for storing unacknowledged packets
Recommended action: Drop
Test String: REASS_MEMORY_OVERFLOW


Note: Memory threshold for the IDP-reassembler can be configured using IDP sensor configuration.

Anomaly Name: TCP:ERROR:FLOW-MEMORY-EXCEEDED
Description: This protocol anomaly triggers when it detects that the TCP Reassembler has too many packets stored in memory for a connection. This can indicate an anti-IDS attack. This anomaly can be ignored in sniffer mode or in case of asymmetric routing.
Recommended action: Drop
Test String: FLOW_MEMORY_OVERFLOW


Note: Memory threshold for per flow in-memory segments can be configured using IDP sensor configuration.
 
Implementation:
Software Releases, patches and updates, once available, can be downloaded from https://www.juniper.net/support/downloads/
 
Modification History:
  • 2018-08-06: Initial Publication
  • 2018-08-07: Clarified that all platforms are assumed to be vulnerable until tested otherwise.  Also clarified that the TCP segment attack cannot be performed using spoofed IP addresses.
  • 2018-08-14: Updated title and added statement about Junos OS not being vulnerable to FragmentSmack. Updated WORKAROUND section to include general suggestions on mitigating fragmentation attacks.
  • 2018-08-28: ScreenOS confirmed to not be vulnerable.  Also simplified Junos OS statement and commitment to resolution via software updates.
  • 2018-10-12: Additional testing has confirmed no impact to WAN interfaces.  Fixes will be made available for impact to management interface in a future version of Junos OS.
Related Links:
CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."