Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

     MX Series MPC crash in Ktree::createFourWayNode after BGP UPDATE
                              23 October 2015


        AusCERT Security Bulletin Summary

Product:           Juniper MX Series router
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

MX Series MPC crash in Ktree::createFourWayNode after BGP UPDATE


    SIRT Advisory
    SIRT Notices

Security Advisories ID:		JSA10485
Last Updated:			21 Oct 2015
Version:			3.0
Legacy Advisory Id:		PSN-2011-08-327

Product Affected:
This issue can affect any MX Series router with port concentrators based
on the Trio chipset -- such as the MPC or embedded into the MX80 -- with
active protocol-based route prefix additions/deletions occurring.


MPCs (Modular Port Concentrators) installed in an MX Series router may crash
upon receipt of very specific and unlikely route prefix install/delete
actions, such as a BGP routing update. The set of route prefix updates
appears to be non-deterministic. Junos versions affected include 10.0,
10.1, 10.2, 10.3, 10.4 prior to 10.4R6, and 11.1 prior to 11.1R4. The
trigger for the MPC crash was determined to be a valid BGP UPDATE received
from a registered network service provider, although this one UPDATE
was determined to not be solely responsible for the crashes. A complex
sequence of preconditions is required to trigger this crash. Both IPv4
and IPv6 routing prefix updates can trigger this MPC crash.

The assertions (crash) all occurred in the code used to store routing
information, called Ktree, on the MPC. Due to the order and mix of adds
and deletes to the tree, certain combinations of address adds and deletes
can corrupt the data structures within the MPC, which in turn can cause
this line card crash. The MPC recovers and returns to service quickly,
and without operator intervention.

This issue only affects MX Series routers with port concentrators based
on the Trio chipset, such as the MPC or embedded into the MX80. No other
product or platform is vulnerable to this issue.

The Juniper SIRT is not aware of any malicious exploitation of this issue.


The Ktree code has been updated and enhanced to ensure that combinations
and permutations of routing updates will not corrupt the state of the
line card. Extensive testing has been performed to validate an exceedingly
large combination and permutation of route prefix additions and deletions.

All Junos OS software releases built on or after 2011-08-03 have fixed
this specific issue. Releases containing the fix specifically include:
10.0S18, 10.2S10, 10.4R6, 11.1R4, 11.2R1, and all subsequent releases
(i.e. all releases built after 11.2R1).

This issue is being tracked as PR 610864. While this PR may not be viewable
by customers, it can be used as a reference when discussing the issue
with JTAC.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.


No known workaround exists for this issue.


How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Related Links:

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories.

CVSS Score:
5.7 (AV:A/AC:M/Au:N/C:N/I:N/A:C)

Risk Level:

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967