Knowledge Search


×
 

2019-04 Security Bulletin: SRX Series: A remote attacker may cause a high CPU Denial of Service to the device when proxy ARP is configured. (CVE-2019-0033)

  [JSA10922] Show Article Properties


Product Affected:
This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: SRX Series.
Problem:

A firewall bypass vulnerability in the proxy ARP service of Juniper Networks Junos OS allows an attacker to cause a high CPU condition leading to a Denial of Service (DoS).

This issue affects only IPv4.

Affected releases are Juniper Networks Junos OS:

  • 12.1X46 versions above and including 12.1X46-D25 prior to 12.1X46-D71, 12.1X46-D73 on SRX Series;
  • 12.3X48 versions prior to 12.3X48-D50 on SRX Series;
  • 15.1X49 versions prior to 15.1X49-D75 on SRX Series.

An example configuration snippet is below:

root@device# show security nat proxy-arp
interface ge-0/0/0.0 {
  address {
    2.2.2.5/32;
  }
}

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2019-0033.

Solution:

The following software releases have been updated to resolve this specific issue: 12.1X46-D71, 12.1X46-D73, 12.3X48-D50, 15.1X49-D75, 17.3R1, and all subsequent releases.

This issue is being tracked as PR 1208910 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).

Workaround:

Discontinue use of proxy ARP.

An example configuration snippet is below:

deactivate security nat proxy-arp interface ge-0/0/0.0 address 2.2.2.5/32

(or)

delete security nat proxy-arp interface ge-0/0/0.0 address 2.2.2.5/32

There are no other viable workarounds for this issue.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
  • 2019-04-10: Initial Publication.

Related Links:
CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."