A Vulnerability in Juniper Junos OS Could Allow for Denial of Service

ITS Advisory Number: 
2019-113
Date(s) Issued: 
Friday, October 18, 2019
Subject: 
A Vulnerability in Juniper Junos OS Could Allow for Denial of Service
Overview: 

A vulnerability has been discovered in Juniper Junos OS, which could allow for denial of service. Junos OS is a FreeBSD-based operating system used in Juniper Networks routers. This vulnerability specifically affects MX Series routers configured with SIP ALG and NAT. An attacker can exploit this issue by sending specially-crafted SIP packets. Repeated successful exploitation of this vulnerability could result in prolonged denial of service conditions.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 

This issue affects Juniper Networks Junos OS on MX Series:

  • 16.1 versions prior to 16.1R7-S5
  • 16.2 versions prior to 16.2R2-S11
  • 17.1 versions prior to 17.1R3
  • 17.2 versions prior to 17.2R3-S3
  • 17.3 versions prior to 17.3R3-S6
  • 17.4 versions prior to 17.4R2-S8, 17.4R3
  • 18.1 versions prior to 18.1R3-S3
  • 18.2 versions prior to 18.2R3
  • 18.3 versions prior to 18.3R2
  • 18.4 versions prior to 18.4R2
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in Juniper Junos OS, which could allow for denial of service. The vulnerability specifically affects MX Series routers configured with SIP ALG and NAT. The Session Initiation Protocol (SIP) is a signaling protocol for initiating, modifying, and terminating multimedia sessions over the internet. An attacker can exploit this issue by sending specially-crafted SIP packets to crash the MS-PIC component on MS-MIC or MS-MPC. Repeated successful exploitation of this vulnerability could result in prolonged denial of service conditions.

Actions: 
  • After appropriate testing, immediately apply patches provided by Juniper to vulnerable systems.
  • Disable SIP ALG on affected systems if not required by your organization.
  • Restrict access to devices and applications from only authorized users and hosts.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.