Notified:  January 26, 2005 Updated: May 01, 2006

Status

Affected

Vendor Statement

Bulletin Number: PSN-2005-02-004 Title: Denial of Service Vulnerability for certain MPLS Packets Products Affected: All M-series and T-series routing platforms Platforms Affected: JUNOS 3.x, JUNOS 4.x, JUNOS 5.x, JUNOS 6.x, JUNOS 7.x, Security Issue: (NOTE: This document updates and supersedes PSN-2005-01-010) When an M-series or T-series Juniper routing platform receives certain MPLS packets, the packets are immediately delivered to the Routing Engine (RE) for further processing. This occurs even if packets are received on an interface which is not enabled for MPLS processing, or if the router is not configured to process MPLS packets at all. Furthermore, these MPLS packets are delivered without any further processing by the hardware, thus bypassing all attempts at limiting the number of, or otherwise filtering, the packets. A large stream of these MPLS packets can overload internal communication paths and interfere with the timely processing of other packets. As a result, packets associated with routing protocols, link-layer management, and network traffic terminating on the router can be interrupted. Routing protocol adjacencies may be lost, telnet and ssh sessions may stall or time out, or interfaces may appear to "flap" for no apparent reason. The packet stream therefore creates a Denial of Service attack against the routing platform. Symptoms of an attack in progress might include CPU utilization on the RE being somewhat higher than usual, however the utilization will not typically reach levels high enough to trigger alarms. Traffic rates on the internal fxp1 interface that connects the RE to the Packet Forwarding Engine (PFE) will approach its maximum capacity. This vulnerability can be exploited by an attacker directly attached to a Juniper Networks M-series or T-series routing platform, even if the interface to which the attacker is attached is not enabled for MPLS. An attacker not directly attached to the routing platform can exploit this vulnerability on transit Label Switch Routers within an Internet Service Provider's MPLS-enabled core network. This vulnerability is specific to Juniper Networks M-series and T- series routers running JUNOS software releases built prior to January 6, 2005. J-series routers and routers that do not run JUNOS software are not susceptible to this vulnerability. Juniper Networks is not aware of any actual or attempted exploit of this vulnerability. Juniper Networks would like to thank Qwest Communications and their Software Certification team for identifying this issue as a security vulnerability within Juniper Networks products. Solution: The JUNOS software has been modified to limit the volume of MPLS traffic forwarded to the Routing Engine, thereby preventing these packets from consuming all bandwidth on the internal communication path. Additional software changes were made to completely ignore MPLS packets arriving on non-MPLS-enabled interfaces. All versions of JUNOS software built on or after January 20, 2005 contain the modified code. Software built between January 6 and January 20 may contain the modified code, depending on the specific JUNOS release. Solution Implementation: All customers are strongly encouraged to upgrade their software to a release that contains the modified code. Pointers to software releases with the corrected code can be found in the Related Links section below. Customers can also contact Juniper Network's Technical Assistance Center for download assistance. As a partial work-around, either of the no-decrement-ttl or the no-propagate-ttl configuration options can be used to reduce the exposure to this vulnerability from remote attackers. These configuration options prevent the attacker from affecting transit Label Switch Routers (LSR) in the Service Provider's core network. However, the configuration options do not protect against directly- attached attackers, nor do they protect the egress LSRs in an RFC2547bis Layer-3 Virtual Private Network environment. [Important Note!] Use of these configuration knobs on M-series routers can introduce anomalous MPLS TTL behavior when the router is running JUNOS release 6.4 or 7.0. IPv4 packets that transit an MPLS core network can leave an LSP with a TTL value greater than when the packet entered the LSP. This anomolous TTL behavior is a regression created by an unrelated change in the code, and is tracked within Juniper as PR/56025. Risk Level: High Risk Assessment: Both directly-attached and remote attackers can severely disrupt normal operation of the routing platform. Exposure to remote attackers can be reduced (but not eliminated) by certain router configuration options; however, attacks from directly-attached devices cannot be averted by simple configuration options.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Related Links (available to registered Juniper customers only): Juniper Security Bulletin PSN-2005-02-004 Title: Security Vulnerability in JUNOS Software (CERT/CC VU#409555) https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2005-02-004&actionBtn=Search Software Upgrade Roadmap https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2005-01-009&actionBtn=Search We are tracking this issue as VU#409555. We have been notified by Juniper that they are tracking this issue internally under PR/8245. Please contact the Juniper Technical Assistance Center (JTAC) for more information: http://www.juniper.net/support/requesting-support.html mailto:support@juniper.net +1-888-314-JTAC (within the United States, Canada, or Mexico) +1-408-745-9500 (from other countries)