High-risk denial of service flaw found in Juniper network gear

Switch and router vendor Juniper has issued patches against a vulnerability in the JunOS operating system that could be exploited remotely for denial of service attacks against service providers.

JunOS is based on the UNIX-like FreeBSD operating system, and is used to operate Juniper network switches and routers.

Juniper assessed the flaw in JunOS as being high-risk. Attackers could exploit it with specially crafted transmission control protocol (TCP) data packets, causing listening network sockets to become stuck indefinitely in a state ahead of connection closure.

Triggering the flaw repeatedly uses up memory until all resources are exhausted, requiring a reboot of the router, or failsafe switchover to another device.

FreeBSD also warned that all versions of its operating system are vulnerable to the resource exhaustion bug, and advised users to patch against it.

Adam Boileau of security consultancy Insomnia said it could be possible to exploit the vulnerability and choke Juniper routers, if the specially crafted packets can be sent to the device control plane.

“I would hope that by now, in 2015, admins are less likely to leave the management interface on their routers internet accessible - but it does totally happen, and the vulnerability could be exploited on these," he said.

"Connecting to the router from inside a service provider network as a subscriber or user of a public wi-fi network is one technique to bypass overly broad access restrictions.

"Juniper suggests that carriers rely also on spoof prevention through reverse path filtering - another mechanism that ISP engineers have been on a quest to deploy since the 1990s."

He said attacks on routers running border gateway protocol (BGP) - the most likely service on a router to be internet-accessible - could be mitigated by fairly widespread use of TCP MD5 authentication.

"Packets that do not have the proper MD5 signature are automatically dropped, although Juniper doesn't specifically mention that this is effective for this flaw,” he said.

"On a more positive note, a lot of provider core routers are hidden away in multiprotocol label switching (MPLS) clouds, and present a smaller overall attack surface than was once the case."

Boileau said the vulnerability could stick around for a while, given how difficult it can be to upgrade production routers on internet providers’ network.

“However, there have been similar IP stack denial of service vulnerabilities for other router vendors than Juniper in the past, and the internet hasn’t melted yet, so there’s probably no need to panic,” Boileau concluded.

Network architect Nathan Ward of internet service provider consultants Braintrust similarly said finding the vulnerable routers in the first place would be difficult for attackers.

"You'd have to be able to initiate a TCP connection to a Juniper router - I'd be surprised if you can find many that would accept a connection from some random place on the internet, as it would mean they have a very poor control plane packet filter in place," Ward said.

"In an MPLS network, which most of the internet is underneath, routers are only exposed for TCP on the border for BGP, and that is almost always well protected - managing a handful of BGP peers in an access control list is trivial."

Lawrence Stewart of streaming video provider Netflix and Jonathan Looney of Juniper are credited with finding the vulnerability.