search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Juniper JUNOS Packet Forwarding Engine (PFE) IPv6 memory leak

Vulnerability Note VU#658859

Original Release Date: 2004-06-30 | Last Revised: 2004-06-30

Overview

The Juniper JUNOS Packet Forwarding Engine (PFE) leaks memory when certain IPv6 packets are submitted for processing. If an attacker submits multiple packets to a vulnerable router running IPv6-enabled PFE, the router can be repeatedly rebooted, essentially creating a denial of service for the router.

Description

Juniper routers running JUNOS use a Packet Forwarding Engine (PFE) to forward network packets to specified destinations. A memory leak has been found in all JUNOS PFEs released after February 24, 2004. This leak can be triggered under certain specific conditions, which may lead to memory exhaustion on vulnerable JUNOS routers. After memory exhaustion occurs, the system will reboot and resume normal operation. However, repeated attacks may cause vulnerable systems to repeatedly reboot, essentially creating a denial of service.

This issue is thought to affect only the JUNOS PFE. The JUNOS Packet Forwarding Engine (specifically, the IPv6 branch) is not derived from other code (i.e., FreeBSD).

Impact

A remote, unauthenticated attacker may cause a Juniper router to repeatedly reboot when multiple IPv6 packets are processed by the JUNOS of a vulnerable system. This would create a denial of service for the router.

Solution

Users registered at Juniper's support site should visit https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2004-06-009&actionBtn=Search

Disable IPv6 processing in the Packet Forwarding Engine.

Vendor Information

658859
 
Expand all

Juniper Networks Affected

Updated:  June 20, 2004

Status

Affected

Vendor Statement

For registered Juniper customers, please see: https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2004-06-009&actionBtn=Search

Number          PSN-2004-06-009
Title   Remotely exploitable ICMPv6 denial-of-service (DoS) attack
(CERT/CC VU#658859)
Products Affected       All Juniper Networks M-series and T-series routing
platforms with IPv6 enabled.
# Platforms Affected    JUNOS 6.x
# Security
Revision Number         1

PSN Issue
When an incoming IPv6 packet requires the router to generate an
ICMPv6 response, the response might not be generated and the buffer
containing the original packet might not be released. Eventually the
Packet Forwarding Engine CPU might exhaust its packet memory and
reboot. This problem exists in all JUNOS Release 6.x software built
on or after February 24, 2004 running on M-series and T-series
routing platforms, and is tracked as PR/48386.

Solution
The JUNOS software has been modified to release the memory occupied
by the original IPv6 packets.

Solution Implementation
All JUNOS software built on or after June 21, 2004 includes the
corrected code. Customers running in an IPv6 environment are strongly
encouraged to upgrade their software to incorporate this correction.
Contact Juniper Networks Technical Assistance Center for availability
and download instructions.

Risk Level - High

Risk Assessment
This remotely exploitable Denial of Service attack vector exists in
all Juniper Networks M-series and T-series routing platforms on which
IPv6 is enabled.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

CERT/CC is tracking this issue as VU#658859. CERT/CC has been notified by Juniper that they are tracking this issue under PR/48386. Please contact the Juniper Technical Assistance Center (JTAC) for more information:

Cisco Systems Inc. Not Affected

Updated:  June 20, 2004

Status

Not Affected

Vendor Statement

Not Vulnerable

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Juniper Networks for contributing to this document.

This document was written by Jeffrey S. Havrilla.

Other Information

CVE IDs: CVE-2004-0468
Severity Metric: 15.54
Date Public: 2004-06-29
Date First Published: 2004-06-30
Date Last Updated: 2004-06-30 00:56 UTC
Document Revision: 18

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis