This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4, 18.1, 18.2, 18.2X75.
A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash. A single packet received by the target victim will cause a Denial of Service condition. Continued receipt of this specifically crafted malicious MPLS packet will cause a sustained Denial of Service condition.
1. This issue requires it to be received on an interface configured to receive this type of traffic.
2. This issue can be initiated from outside the MPLS domain and then forwarded into the MPLS domain. Once in the MPLS domain, the issue can be triggered.
3. This issue cannot be triggered from outside the MPLS domain to an interface configured with MPLS. e.g. if the bad packet is encapsulated or tunneled regardless of if it is in or out of the MPLS domain. Once de-encapsulated, it must then meet scenario #1 or #2 listed above.
Affected releases are Juniper Networks Junos OS:
- 12.1X46 versions above and including 12.1X46-D76 prior to 12.1X46-D81 on SRX Series;
- 12.3R12-S10;
- 12.3X48 versions above and including 12.3X48-D66 prior to 12.3X48-D75 on SRX Series;
- 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100;
- 15.1 versions above and including 15.1F6-S10;
- 15.1R4-S9;
- 15.1R6-S6;
- 15.1 versions above and including 15.1R7 prior to 15.1R7-S2;
- 15.1X49 versions above and including 15.1X49-D131 prior to 15.1X49-D150 on SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
- 15.1X53 versions above 15.1X53-D233 prior to 15.1X53-D235 on QFX5200/QFX5110;
- 15.1X53 versions up to and including 15.1X53-D471 prior to 15.1X53-D590 on NFX150, NFX250;
- 15.1X53-D67 on QFX10000 Series;
- 15.1X53-D59 on EX2300/EX3400;
- 16.1 versions above and including 16.1R3-S8;
- 16.1 versions above and including 16.1R4-S9 prior to 16.1R4-S12;
- 16.1 versions above and including 16.1R5-S4;
- 16.1 versions above and including 16.1R6-S3 prior to 16.1R6-S6;
- 16.1 versions above and including 16.1R7 prior to 16.1R7-S2;
- 16.2 versions above and including 16.2R1-S6;
- 16.2 versions above and including 16.2R2-S5 prior to 16.2R2-S7;
- 17.1R1-S7;
- 17.1 versions above and including 17.1R2-S7 prior to 17.1R2-S9;
- 17.2R1-S6;
- 17.2 versions above and including 17.2R2-S4 prior to 17.2R2-S6;
- 17.2X75 versions above and including 17.2X75-D100 prior to X17.2X75-D101, 17.2X75-D110;
- 17.3 versions above and including 17.3R1-S4 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
- 17.3 versions above and including 17.3R2-S2 prior to 17.3R2-S4 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
- 17.3R3 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
- 17.4 versions above and including 17.4R1-S3 prior to 17.4R1-S5 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
- 17.4R2 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
- 18.1 versions above and including 18.1R2 prior to 18.1R2-S3, 18.1R3 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
- 18.2 versions above and including 18.2R1 prior to 18.2R1-S2, 18.2R1-S3, 18.2R2 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
- 18.2X75 versions above and including 18.2X75-D5 prior to 18.2X75-D20.
The following minimal protocols configuration is required:
[protocols mpls interface]
Juniper SIRT is aware of possible malicious network probing which may have triggered this issue, but not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2018-0049.
The following software releases have been updated to resolve this specific issue: 12.1X46-D81, 12.3R12-S11, 12.3X48-D75, 14.1X53-D130, 14.1X53-D48, 15.1R7-S2, 15.1X49-D150, 15.1X53-D235, 15.1X53-D495, 15.1X53-D68, 15.1X53-D590, 16.1R4-S12, 16.1R6-S6, 16.1R7-S2, 16.1X65-D48, 16.2R2-S7, 16.2R3, 17.1R2-S9, 17.1R3, 17.2R1-S7, 17.2R2-S6, 17.2R3, 17.2X75-D101, 17.2X75-D110, 17.3R2-S4, 17.3R3-S1, 17.3R4, 17.4R1-S5, 17.4R2-S1, 17.4R3, 18.1R2-S3, 18.1R3, 18.2R1-S2, 18.2R1-S3, 18.2R2, 18.2X75-D20, 18.3R1, and all subsequent releases.
Additionally, the following software releases have been re-released to the Juniper download pages to resolve this specific issue:
12.1X46-D76.1, 12.3X48-D70.4, 14.1X53-D47.6, 15.1F6-S10.11, 15.1R6-S6.2, 15.1R7.9, 15.1X49-D140.3, 15.1X53-D233.2, 15.1X53-D59.4, 15.1X53-D67.6, 16.1R6-S3.2, 16.1R7-S1.2, 16.1R7.8, 17.2X75-D100.6, 17.3R2-S2.2, 17.3R3.10, 17.4R1-S3.4, 18.1R2.6.
Note: The final ".xy" numeric entry, for example the .4 in 12.3X48-D70.4, on a release in this notice is the respin release number. Customer's should check the respin release number on the version of Junos OS to confirm vulnerability.
This issue is being tracked as PR 1380862 which is visible on the Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).
TSB17438 has been issued to assist with updating details. Further, the following table is designed to assist with identifying a fix path for your product. Each product has multiple potential fix paths. First, there is the updated release of Junos. If you are using an affected release of Junos that is listed in the Updated column, the only change to the updated release is PR 1380862. Second, there is the next fixed in release location which contains at least PR 1380862, and other fixes, and potentially feature additions. Third, there are certain releases which are proactively fixed and those are called out. These proactively fixed releases were never exposed to this issue. Not all affected release trains have fixes. In those instances, customers should either Update to a reissued release, or upgrade to a fixed in release listed in the table below. For additional configuration, update and upgrade assistance, please contact your account manager, or JTAC for assistance.
Product and platforms |
Affected releases |
Fixed and reissued Junos release |
Fixed in |
12.3 (all platforms) |
= 12.3R12-S10 |
None |
>= 12.3R12-S11 |
12.1X46 (SRX Branch Series*) |
>= 12.1X46-D76 and < 12.1X46-D81 |
12.1X46-D76.1 |
>= 12.1X46-D81 |
12.3X48 (SRX Branch Series*) |
>= 12.3X48-D66 and < 12.3X48-D75 |
12.3X48-D70.4 |
>= 12.3X48-D75 |
14.1X53 (EX and QFX Series) |
= 14.1X53-D47 |
14.1X53-D47.6 |
>= 14.1X53-D48 |
14.1X53 (QFabric System) |
Not affected |
Not affected |
>= 14.1X53-D115 and < 14.1X53-D130(proactive fix) |
15.1 (all platforms) |
>= 15.1F6-S10 |
15.1F6-S10.11 |
None |
>= 15.1R4-S9 |
None |
None |
>= 15.1R6-S6 |
15.1R6-S6.2 |
None |
>= 15.1R7 and < 15.1R7-S2 |
15.1R7.9 |
>= 15.1R7-S2 |
15.1X49 (SRX Branch Series*) |
>= 15.1X49-D131 and < 15.1X49-D150 |
15.1X49-D140.3 |
>= 15.1X49-D150 |
15.1X53 (QFX5200/QFX5110) |
>= 15.1X53-D233 and < 15.1X53-D235 |
15.1X53-D233.2 |
>= 15.1X53-D235 |
15.1X53 (NFX150, NFX250) |
>= 15.1X53-D471 and < 15.1X53-D495 |
None |
>= 15.1X53-D495 |
15.1X53 (QFX10000 Series) |
= 15.1X53-D67 |
15.1X53-D67.6 |
>= 15.1X53-D68 |
15.1X53 (EX2300/EX3400) |
>= 15.1X53-D59 and < 15.1X53-D590 |
15.1X53-D59.4 |
>= 15.1X53-D590 |
16.1 (all platforms) |
>= 16.1R3-S8 |
None |
None |
>= 16.1R4-S9 and < 16.1R4-S12 |
None |
>= 16.1R4-S12 |
>= 16.1R5-S4 |
None |
None |
>= 16.1R6-S3 and < 16.1R6-S6 |
16.1R6-S3.2 |
>= 16.1R6-S6 |
>= 16.1R7 and < 16.1R7-S2 |
16.1R7.8 and 16.1R7-S1.2 |
>= 16.1R7-S2 |
16.1X65 (PTX1000 Series) |
Not affected |
Not affected |
>= 16.1X65-D48 (proactive fix) |
16.2 (all platforms) |
>= 16.2R1-S6 |
None |
None |
>= 16.2R2-S5 and < 16.2R2-S7 |
None |
>= 16.2R2-S7 and
>= 16.2R3 |
17.1 (all platforms) |
>= 17.1R1-S7 |
None |
None |
>= 17.1R2-S7 and < 17.1R2-S9 |
None |
>= 17.1R2-S9 and
>= 17.1R3 |
17.2 (all platforms) |
= 17.2R1-S6 |
None |
>= 17.2R1-S7 and
>= 17.2R3 |
>= 17.2R2-S4 and < 17.2R2-S6 |
None |
>= 17.2R2-S6 and
>= 17.2R3 |
17.2X75 |
= 17.2X75-D100 |
17.2X75-D100.6 |
>= 17.2X75-D101 and
>= 17.2X75-D110 |
17.3 (all platforms) See Note-1 |
>= 17.3R1-S4 |
None |
None |
>= 17.3R2-S2 and < 17.3R2-S4. |
17.3R2-S2.2 |
>= 17.3R2-S4 and |
= 17.3R3 |
17.3R3.10 |
>= 17.3R3-S1 and |
17.4 (all platforms) |
>= 17.4R1-S3 and < 17.4R1-S5 |
17.4R1-S3.4 |
>= 17.4R1-S5 and
>= 17.4R3 |
= 17.4R2 |
None |
>= 17.4R2-S1 and
>= 17.4R3 |
18.1 (all platforms) |
>= 18.1R2 and < either 18.1R2-S3, or 18.1R3 |
18.1R2.6 |
>= 18.1R2-S3 and
>= 18.1R3 |
18.2 (all platforms) |
>= 18.2R1 and < either 18.2R1-S2, or 18.2R2 |
None |
>= 18.2R1-S2 and
>= 18.2R2 |
18.2X75 |
>= 18.2X75-D5 and < 18.2X75-D20 |
None |
>= 18.2X75-D20 |
* SRX Branch Series devices include SRX100, SRX110, SRX210, SRX220, SRX240m, SRX300, SRX320, SRX340, SRX345, SRX550m, SRX650, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX.
Note-1: From 17.3R1 onward, It is suggested that customers using releases of Junos on SRX should consider transitioning to 17.4R2-S1, or subsequent releases.
Remove MPLS configuration stanza from interfaces at risk.
There are no other available workarounds for this issue.
2018-10-10: Initial publication
2018-10-12: QFabric System moved to proactively fixed; not affected. Updated table data for SRX Series. Added additional information about attack vector to JSA to clarify AV:N - can be initiated and forwarded through networks outside the MPLS domain, but can only trigger inside the MPLS domain once forwarded into the domain. Added TSB17438 linking.
2018-10-19: Clarified problem scenarios.
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."