ITS ADVISORY NUMBER: 

2020-140

DATE(S) ISSUED: 

Thursday, October 15, 2020

SUBJECT: 

A Vulnerability in Juniper Junos OS Could Allow for Denial of Service

OVERVIEW: 

A vulnerability has been discovered in Juniper Junos OS, which could allow for denial of service. Junos OS is a FreeBSD-based operating system used in Juniper Networks routers. This vulnerability specifically affects MX Series routers and EX9200 series switches with Trio-based PFEs configured with IPv6 Distributed Denial of Service (DDoS) protection mechanism enabled. An attacker can exploit this issue to disrupt network protocol operations or interrupt traffic. Successful exploitation of this vulnerability could result in denial of service conditions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED: 

This issue affects Juniper Networks Junos OS on MX series and EX9200 Series: 

  • 17.2 versions prior to 17.2R3-S4

  • 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110

  • 17.3 versions prior to 17.3R3-S8

  • 17.4 versions prior to 17.4R2-S11, 17.4R3-S2

  • 18.2 versions prior to 18.2R2-S7, 18.2R3, 18.2R3-S3

  • 18.2X75 versions prior to 18.2X75-D30

  • 18.3 versions prior to 18.3R2-S4, 18.3R3-S2

RISK:

Government:

Large and medium government entities: High

Small government entities: High

Business:

Large and medium business entities: High

Small business entities: High

Home Users: Low

 

DESCRIPTION: 

A vulnerability has been discovered in Juniper Junos OS, which could allow for denial of service. This vulnerability specifically affects MX Series routers and EX9200 series switches with Trio-based PFEs configured with IPv6 Distributed Denial of Service (DDoS) protection mechanism enabled. The IPv6 DDoS protection mechanism allows the device to continue to function while it is under DDoS attack, protecting both the Routing Engine (RE) and the Flexible PIC Concentrator (FPC) during the DDoS attack. An attacker can exploit this issue to disrupt network protocol operations or interrupt traffic by overwhelming the Routing Engine (RE) and/or the Flexible PIC Concentrator (FPC). Successful exploitation of this vulnerability could result in denial of service conditions.

ACTIONS: 

  • After appropriate testing, immediately apply patches provided Juniper to vulnerable systems.

  • Disable all unnecessary services.

  • Restrict access to devices and applications from only authorized users and hosts.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES: 

Juniper:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11062

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1665