Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2681 MX Series MPC crash in Ktree::createFourWayNode after BGP UPDATE 23 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper MX Series router Publisher: Juniper Networks Operating System: Juniper Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: kb.juniper.net/InfoCenter/index?page=content&id=JSA10485 - --------------------------BEGIN INCLUDED TEXT-------------------- MX Series MPC crash in Ktree::createFourWayNode after BGP UPDATE Categories: Junos M-series T-series MX-series SIRT SIRT Advisory SIRT Notices Security Advisories ID: JSA10485 Last Updated: 21 Oct 2015 Version: 3.0 Legacy Advisory Id: PSN-2011-08-327 Product Affected: This issue can affect any MX Series router with port concentrators based on the Trio chipset -- such as the MPC or embedded into the MX80 -- with active protocol-based route prefix additions/deletions occurring. Problem: MPCs (Modular Port Concentrators) installed in an MX Series router may crash upon receipt of very specific and unlikely route prefix install/delete actions, such as a BGP routing update. The set of route prefix updates appears to be non-deterministic. Junos versions affected include 10.0, 10.1, 10.2, 10.3, 10.4 prior to 10.4R6, and 11.1 prior to 11.1R4. The trigger for the MPC crash was determined to be a valid BGP UPDATE received from a registered network service provider, although this one UPDATE was determined to not be solely responsible for the crashes. A complex sequence of preconditions is required to trigger this crash. Both IPv4 and IPv6 routing prefix updates can trigger this MPC crash. The assertions (crash) all occurred in the code used to store routing information, called Ktree, on the MPC. Due to the order and mix of adds and deletes to the tree, certain combinations of address adds and deletes can corrupt the data structures within the MPC, which in turn can cause this line card crash. The MPC recovers and returns to service quickly, and without operator intervention. This issue only affects MX Series routers with port concentrators based on the Trio chipset, such as the MPC or embedded into the MX80. No other product or platform is vulnerable to this issue. The Juniper SIRT is not aware of any malicious exploitation of this issue. Solution: The Ktree code has been updated and enhanced to ensure that combinations and permutations of routing updates will not corrupt the state of the line card. Extensive testing has been performed to validate an exceedingly large combination and permutation of route prefix additions and deletions. All Junos OS software releases built on or after 2011-08-03 have fixed this specific issue. Releases containing the fix specifically include: 10.0S18, 10.2S10, 10.4R6, 11.1R4, 11.2R1, and all subsequent releases (i.e. all releases built after 11.2R1). This issue is being tracked as PR 610864. While this PR may not be viewable by customers, it can be used as a reference when discussing the issue with JTAC. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: No known workaround exists for this issue. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories. CVSS Score: 5.7 (AV:A/AC:M/Au:N/C:N/I:N/A:C) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVimMqn6ZAP0PgtI9AQKNMhAAjPU2BBvY/0JZjpIQpzY8rAWpG8WC6Nwu jAnOhu9IfN4Lzcqd31OmQ3J4AS/U2rDRbhId0afjiddGbC6fofUdTa+lAPZHMLPz D2yoUuNvDedWkpEA4KmhELYcHLaPmKSj03vhLfzoOfCUYuGKsGczJZnZYf6PltWJ n2iB5zTQhvqSMzWtRKsknCQK/zjGsAwnaL+AbJ70XLY34W6LKSrG2z3iof8CmZ71 7kIlY+7CMtOrDaIVj/VjLd5UyYzkV2DTlRWzbNbDAqiZvTsD8Yno3Cgq712aKSNs dq0x2NKxjQpUvHsNaQBvDG34B0N3UlbZD0xo8OVlJyyrOF2YCs7TSr7VXQuOernt 6qPbQBT558rdj5vX2Qj1w5MIlICucX/X0pSFwkM9fVaFiy+0sQ2wDlAwmokOV1j2 MEtL98J4K5XdQg+Nqm1r7PI0hlP4p47czUyE19v9oRe/B+NT0iAJA4BnoUXWP9Ab esPbc27zezrLhDJO9TYIEcOHkk89ogp7D3lSRdmXpWXL8pRok6CiRCX9TOx3cpy6 x3BzKVoPAZcLkHPxdhWBFJVOkJ6sTggWd26r8rcd1QTOLcutyjAE6/mJ+Sz38FWF 3TPGMiCww0QsQBUekVqTfIZWg4AVx36mNXxID/rXyOhn9F4xkz4vJb0dSL/FxeGM f5C6AU2bmyM= =5S/b -----END PGP SIGNATURE-----