Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Juniper IPv6 vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Juniper IPv6 vulnerability
Specially crafted IPv6 packets can cause a kernel memory 
leak and eventually a reboot in ALL VERSIONS of JUNOS released before May 10 2006
From https://www.juniper.net/support/security/alerts/IPv6_bug.txt
"Issue:
This issue affects all releases of JUNOS Internet Software running
on M-series, T-series, and J-series routers and built prior to May 10, 2006.
Affected JUNOS routers, when receiving certain IPv6 packets,
do not release the memory buffer occupied by the IPv6 packet. 
Repeated reception of such packets can eventually consume all kernel packet
memory and cause the router to crash.
Solution:
The JUNOS IPv6 code has been corrected to release the memory occupied
by the invalid packet in all cases.  All releases of JUNOS software
built on or after May 10, 2006 include the corrected code.  Corrective
software is available for JUNOS releases 6.4 through 8.0 inclusive." 
You can get updated software at http://www.juniper.net. 
If your not already a registered juniper customer you will need to register first.
"Customers without a JUNOS support or maintenance contract can gain
access to corrective software by requesting a Juniper user account at
the following link: http://www.juniper.net/entitlement/setupAccountInfo.do
The account must be set up with Authorization Code: JNPRIPV6.  After
receiving the user account information via email, customers can then
contact Juniper Support at 1-800-638-8296 (US and Canada) or
+1-408-745-9500 (worldwide) in order to obtain the
links to the appropriate software image." 
Workaround: 
If you do not need to process IPv6 packets remove family inet6 from the interface configurations.
Detection:
After an attack:

You will see a kernel crash and you might see an "out of mbufs" message
in the sylog if the kernel had a chance to write that to syslog before it crashes.

During an attack:
Show system buffers will show the mbuf count getting smaller
Reference numbers:
JTAC bulletin PSN-2006-06-017
CVE# VU#294036

Additional references:
http://www.niscc.gov.uk/niscc/docs/br-20060711-00471.html?lang=en
http://www.kb.cert.org/vuls/id/294036
donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!