Knowledge Search


×
 

2018-10 Security Bulletin: Junos OS: Receipt of a specifically crafted malicious MPLS packet leads to a Junos kernel crash (CVE-2018-0049)

  [JSA10883] Show Article Properties


Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4, 18.1, 18.2, 18.2X75.
Problem:

A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash. A single packet received by the target victim will cause a Denial of Service condition.  Continued receipt of this specifically crafted malicious MPLS packet will cause a sustained Denial of Service condition.

This issue require it to be received on an interface configured to receive this type of traffic.

This issue can be initiated from outside the MPLS domain and then forwarded into the MPLS domain.  Once in the MPLS domain, the issue can be triggered.

This issue cannot be triggered from outside the MPLS domain to an interface configured with MPLS.

Affected releases are Juniper Networks Junos OS:

  • 12.1X46 versions above and including 12.1X46-D76 prior to 12.1X46-D81 on SRX Series;
  • 12.3R12-S10;
  • 12.3X48 versions above and including 12.3X48-D66 prior to 12.3X48-D75 on SRX Series;
  • 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100;
  • 15.1 versions above and including 15.1F6-S10;
  • 15.1R4-S9;
  • 15.1R6-S6;
  • 15.1 versions above and including 15.1R7 prior to 15.1R7-S2;
  • 15.1X49 versions above and including 15.1X49-D131 prior to 15.1X49-D150 on SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  • 15.1X53 versions above 15.1X53-D233 prior to 15.1X53-D235 on QFX5200/QFX5110;
  • 15.1X53 versions up to and including 15.1X53-D471 prior to 15.1X53-D590 on NFX150, NFX250;
  • 15.1X53-D67 on QFX10000 Series;
  • 15.1X53-D59 on EX2300/EX3400;
  • 16.1 versions above and including 16.1R3-S8;
  • 16.1 versions above and including 16.1R4-S9 prior to 16.1R4-S12;
  • 16.1 versions above and including 16.1R5-S4;
  • 16.1 versions above and including 16.1R6-S3 prior to 16.1R6-S6;
  • 16.1 versions above and including 16.1R7 prior to 16.1R7-S2;
  • 16.2 versions above and including 16.2R1-S6;
  • 16.2 versions above and including 16.2R2-S5 prior to 16.2R2-S7;
  • 17.1R1-S7;
  • 17.1 versions above and including 17.1R2-S7 prior to 17.1R2-S9;
  • 17.2R1-S6;
  • 17.2 versions above and including 17.2R2-S4 prior to 17.2R2-S6;
  • 17.2X75 versions above and including 17.2X75-D100 prior to X17.2X75-D101, 17.2X75-D110;
  • 17.3 versions above and including 17.3R1-S4 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  • 17.3 versions above and including 17.3R2-S2 prior to 17.3R2-S4 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  • 17.3R3 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  • 17.4 versions above and including 17.4R1-S3 prior to 17.4R1-S5 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  • 17.4R2 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  • 18.1 versions above and including 18.1R2 prior to 18.1R2-S3, 18.1R3 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  • 18.2 versions above and including 18.2R1 prior to 18.2R1-S2, 18.2R1-S3, 18.2R2 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  • 18.2X75 versions above and including 18.2X75-D5 prior to 18.2X75-D20.

The following minimal protocols configuration is required:

[protocols mpls interface]

Juniper SIRT is aware of possible malicious network probing which may have triggered this issue, but not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2018-0049.
 

Solution:

The following software releases have been updated to resolve this specific issue: 12.1X46-D81, 12.3R12-S11, 12.3X48-D75, 14.1X53-D130, 14.1X53-D48, 15.1R7-S2, 15.1X49-D150, 15.1X53-D235, 15.1X53-D495, 15.1X53-D68, 15.1X53-D590, 16.1R4-S12, 16.1R6-S6, 16.1R7-S2, 16.1X65-D48, 16.2R2-S7, 16.2R3, 17.1R2-S9, 17.1R3, 17.2R1-S7, 17.2R2-S6, 17.2R3, 17.2X75-D101, 17.2X75-D110, 17.3R2-S4, 17.3R3-S1, 17.3R4, 17.4R1-S5, 17.4R2-S1, 17.4R3, 18.1R2-S3, 18.1R3, 18.2R1-S2, 18.2R1-S3, 18.2R2, 18.2X75-D20, 18.3R1, and all subsequent releases.

Additionally, the following software releases have been re-released to the Juniper download pages to resolve this specific issue:

12.1X46-D76.1, 12.3X48-D70.4, 14.1X53-D47.6, 15.1F6-S10.11, 15.1R6-S6.2, 15.1R7.9, 15.1X49-D140.3, 15.1X53-D233.2, 15.1X53-D59.4, 15.1X53-D67.6, 16.1R6-S3.2, 16.1R7-S1.2, 16.1R7.8, 17.2X75-D100.6, 17.3R2-S2.2, 17.3R3.10, 17.4R1-S3.4, 18.1R2.6.

Note: The final ".xy" numeric entry, for example the .4 in 12.3X48-D70.4, on a release in this notice is the respin release number. Customer's should check the respin release number on the version of Junos OS to confirm vulnerability.

This issue is being tracked as PR 1380862 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).

TSB17438 has been issued to assist with updating details. Further, the following table is designed to assist with identifying a fix path for your product.  Each product has multiple potential fix paths.  First, there is the updated release of Junos.  If you are using an affected release of Junos that is listed in the Updated column, the only change to the updated release is PR 1380862.  Second, there is the next fixed in release location which contains at least PR 1380862, and other fixes, and potentially feature additions.  Third, there are certain releases which are proactively fixed and those are called out.  These proactively fixed releases were never exposed to this issue.  Not all affected release trains have fixes.  In those instances, customers should either Update to a reissued release, or upgrade to a fixed in release listed in the table below. For additional configuration, update and upgrade assistance, please contact your account manager, or JTAC for assistance.

Product and platforms Affected releases Fixed and reissued Junos release Fixed in
12.3 (all platforms) = 12.3R12-S10 None >= 12.3R12-S11
12.1X46 (SRX Branch Series*) >= 12.1X46-D76 and < 12.1X46-D81 12.1X46-D76.1 >= 12.1X46-D81
12.3X48 (SRX Branch Series*) >= 12.3X48-D66 and < 12.3X48-D75 12.3X48-D70.4 >= 12.3X48-D75
14.1X53 (EX and QFX Series) = 14.1X53-D47 14.1X53-D47.6 >= 14.1X53-D48
14.1X53 (QFabric System) Not affected Not affected >= 14.1X53-D115 and < 14.1X53-D130(proactive fix)
15.1 (all platforms) >= 15.1F6-S10 15.1F6-S10.11 None
>= 15.1R4-S9 None None
>= 15.1R6-S6 15.1R6-S6.2 None
>= 15.1R7 and < 15.1R7-S2 15.1R7.9 >= 15.1R7-S2
15.1X49 (SRX Branch Series*) >= 15.1X49-D131 and < 15.1X49-D150 15.1X49-D140.3 >= 15.1X49-D150
15.1X53 (QFX5200/QFX5110) >= 15.1X53-D233 and < 15.1X53-D235 15.1X53-D233.2 >= 15.1X53-D235
15.1X53 (NFX150, NFX250) >= 15.1X53-D471 and < 15.1X53-D495 None >= 15.1X53-D495
15.1X53 (QFX10000 Series) = 15.1X53-D67 15.1X53-D67.6 >= 15.1X53-D68
15.1X53 (EX2300/EX3400) >= 15.1X53-D59 and < 15.1X53-D590
15.1X53-D59.4
>= 15.1X53-D590
16.1 (all platforms) >= 16.1R3-S8 None None
>= 16.1R4-S9 and < 16.1R4-S12 None >= 16.1R4-S12
>= 16.1R5-S4 None None
>= 16.1R6-S3 and < 16.1R6-S6 16.1R6-S3.2 >= 16.1R6-S6
>= 16.1R7  and < 16.1R7-S2 16.1R7.8 and 16.1R7-S1.2 >= 16.1R7-S2
16.1X65 (PTX1000 Series) Not affected Not affected >= 16.1X65-D48 (proactive fix)
16.2 (all platforms) >= 16.2R1-S6 None None
>= 16.2R2-S5 and < 16.2R2-S7 None >= 16.2R2-S7 and
>= 16.2R3
17.1 (all platforms) >= 17.1R1-S7 None None
>= 17.1R2-S7 and < 17.1R2-S9 None >= 17.1R2-S9 and
>= 17.1R3
17.2 (all platforms) = 17.2R1-S6 None >= 17.2R1-S7 and
>= 17.2R3
>= 17.2R2-S4 and < 17.2R2-S6 None >= 17.2R2-S6 and
>= 17.2R3
17.2X75 = 17.2X75-D100
17.2X75-D100.6
>= 17.2X75-D101 and
>= 17.2X75-D110
17.3 (all platforms) See Note-1 >= 17.3R1-S4 None None
>= 17.3R2-S2 and < 17.3R2-S4. 17.3R2-S2.2 >= 17.3R2-S4 and
= 17.3R3 17.3R3.10 >= 17.3R3-S1 and
17.4 (all platforms) >= 17.4R1-S3 and < 17.4R1-S5 17.4R1-S3.4 >= 17.4R1-S5 and
>= 17.4R3
= 17.4R2 None >= 17.4R2-S1 and
>= 17.4R3
18.1 (all platforms) >= 18.1R2 and < either 18.1R2-S3, or 18.1R3 18.1R2.6 >= 18.1R2-S3 and
>= 18.1R3
18.2 (all platforms) >= 18.2R1 and < either 18.2R1-S2, or 18.2R2 None >= 18.2R1-S2 and
>= 18.2R2
18.2X75 >= 18.2X75-D5 and < 18.2X75-D20 None >= 18.2X75-D20

* SRX Branch Series devices include SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345,  SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX.

Note-1: From 17.3R1 onward, It is suggested that customers using releases of Junos on SRX should consider transitioning to 17.4R2-S1, or subsequent releases.

Workaround:

Remove MPLS configuration stanza from interfaces at risk.

There are no other available workarounds for this issue.
 

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
 
Modification History:
‚Äč2018-10-10: Initial publication
2018-10-12: QFabric System moved to proactively fixed; not affected.  Updated table data for SRX Series.  Added additional information about attack vector to JSA to clarify AV:N - can be initiated and forwarded through networks outside the MPLS domain, but can only trigger inside the MPLS domain once forwarded into the domain.  Added TSB17438 linking.
Related Links:
CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."