-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1414
         IPv6 Neighbor Discovery Crafted Packet Denial of Service
                       Vulnerability (CVE-2016-1409)
                                6 June 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juno OS
Publisher:         Juniper Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2016-1409  

Reference:         ESB-2016.1355

Original Bulletin: 
   http://kb.juniper.net/index?page=content&id=JSA10749

Comment: The workaround provided by the vendor is not a complete solution,
         however it will limit the attack surface until fixes are available.

- --------------------------BEGIN INCLUDED TEXT--------------------

IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability 
(CVE-2016-1409)

Categories:

Junos

Router Products

J Series

M Series

T Series

MX-series

Security Products

Switch Products

EX Series

SRX Series

Security Advisories ID: JSA10749

Last Updated: 03 Jun 2016

Version: 1.0

Product Affected:

This issue may affect any product or platform running Junos OS.

Problem:

A vulnerability in IPv6 processing has been discovered that may allow a 
specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the 
router rather than discarded. The crafted packet, destined to the router, will
then be processed by the routing engine (RE). A malicious network-based packet
flood, sourced from beyond the local broadcast domain, can cause the RE CPU to
spike, or cause the DDoS protection ARP protocol group policer to engage. When
this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as
legitimate ND times out.

Note that this is similar to the router's response to any purposeful malicious
IPv6 ND flood destined to the router. The difference is that the crafted 
packet identified in the vulnerability is such that the forwarding 
controllers/ASICs should disallow this traffic from reaching the RE for 
further processing. Additionally, due to the routable nature of the crafted 
IPv6 ND packet, the attack may be launched from beyond the local broadcast 
domain.

This issue has been assigned CVE-2016-1409.

Solution:

Internal investigation has uncovered three separate issues with IPv6 Neighbor
Discovery processing in Junos:

QFX5100 exceptions transit IPv6 ND traffic to RE

PR 1183115 logged to resolve this issue in a future release.

Junos routers forward IPv6 ND traffic in violation of RFC4861

PRs 1183124 (QFX), 1188939 (MX), 1188949 (PTX) logged to investigate this 
issue.

Junos routers fail to discard non-RFC4861-compliant IPv6 ND traffic destined 
to the router (CVE-2016-1409)

PRs 1183124 (QFX), 1188939 (MX), 1188949 (PTX)

Note that only MX, PTX, and QFX have been confirmed to experience this 
behavior. Other platforms are still under investigation.

Juniper Networks will update this advisory once fixes are available.

Refer to KB16613 for additional information about the Juniper Networks SIRT 
Quarterly Security Bulletin Publication Process."

Workaround:

While no complete workaround currently exists for this issue, especially for 
adjacent network attacks from the local broadcast domain, security best 
current practices (BCPs) of filtering all ND traffic at the edge, destined to
network infrastructure equipment, should be employed to limit the malicious 
attack surface of the vulnerability. Examples include:

Interface and/or control plane firewall filters may be used to stop 
propagation of NDP traffic beyond connected devices. Devices that support the
hop-limit option can utilize the following interface filter design:

user@junos# show firewall family inet6 NDP
filter NDP {
    term PERMIT_LOCAL_ICMP {
        from {
            next-header icmp6;
            hop-limit 255;
        }
        then {
            count PERMIT_LOCAL_ICMP;
            accept;
        }
    }
    term REJECT_NETWORK_ICMP {
        from {
            next-header icmpv6;
            icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement redirect ];
        }
        then {
            count REJECT_NETWORK_ICMP;
            discard;
        }
    }
    term PERMIT_ALL {
        then accept;
    }
}


Sample Protect_RE filter:

user@junos# show firewall family inet6 IPV6_PROTECT_RE
filter IPV6_PROTECT_RE {
    term ICMPV6_TRUSTED {
        from {
            source-prefix-list {
                IPV6_REMOTE_ACCESS;
            }
            next-header icmpv6;
        }
        then accept;
    }
    term IPV6_ND_LOCAL {
        from {
            next-header icmpv6;         
            hop-limit 255;
        }
        then accept;
    }
    term ICMPV6 {
        from {
            next-header icmpv6;
            icmp-type [ echo-request echo-reply time-exceeded destination-unreachable packet-too-big parameter-problem ];
        }
        then accept;
    }
}​

Devices that do not support the 'hop-limit' option will require a slightly more complicated interface filter design:

user@junos# show firewall family inet6 NDP
filter NDP {
    term PERMIT_VALID_ICMP {
        from {
            destination-address {
                fe80::/10;              
                ff02::/123;
                ff02:0:0:0:0:1:ff00::/104;
            }
        }
        then {
            count PERMIT_VALID_ICMP;
            accept;
        }
    }
    term PERMIT_VALID_ICMP_LOCAL {
        from {
            source-address {
                x:x:x:x::/64;
            }
            destination-address {
                x:x:x:x::/64;
            }
            next-header icmp6;
        }
        then {
            count PERMIT_VALID_ICMP_LOCAL;
            accept;
        }
    }
    term REJECT_INVALID_ICMP {
        from {
            next-header icmpv6;
            icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement redirect ];
        }
        then {
            count REJECT_INVALID_ICMP;
            discard;
        }
    }
}


and Protect_RE filter design:
​

user@junos# show firewall family inet6 IPV6_PROTECT_RE
filter IPV6_PROTECT_RE {
    term ICMPV6_TRUSTED {
        from {
            source-prefix-list {
                IPV6_REMOTE_ACCESS;
            }
            next-header icmpv6;
        }
        then accept;
    }
    term IPV6_ND {
        from {
            destination-address {
                fe80::/10;
                ff02::/123;
                ff02:0:0:0:0:1:ff00::/104;
            }
        }
        then accept;
    }
    term IPV6_ND_LOCAL {
        from {
            source-address {
                x:x:x:x::/64;
            }
            destination-address {
                x:x:x:x::/64;
            }
            next-header icmp6;
        }
        then accept;
    }
    term ICMPV6 {
        from {
            next-header icmpv6;
            icmp-type [ echo-request echo-reply time-exceeded destination-unreachable packet-too-big parameter-problem ];
        }
        then accept;
    }
    term OTHER {
        then {
            count DROP;
            discard;
        }
    }
}

Implementation:

Related Links:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2016-1409: IPv6 Neighbor Discovery Crafted Packet Denial of Service 
Vulnerability

CVSS Score:

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Risk Level:

Medium

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV1Ti/Ix+lLeg9Ub1AQjNjA//Yw8Pyuhmpq1VEaszTMGbOkAmAfvpq7ir
pDi2uP4U6cCewJenviKHOb4WMjqRJGhxWRcQLsReHdIbPDZxmmuF+2e4ssrKvWIB
HFUElaiARrWmRJTOks8OxgjWTqO/hmb49i8w7EvqiKlSwJDtFtY1WV7qHkvdJ5Ym
J0UVz0YuzGD9dFUJdyGY/l1HYtabuQsb5YC+h6qj6cWZXyq2tJXFzC6antMaNKET
cRAkPCpj9tm1r8MzhfGlpn9094rOssRijcNLX/BRTPHEfRvyOH2n/5d9e6n0QsQw
vqeCNcbMM9KC+Ngh8hNl8LELWSDsucM1pO1PQYlllxg7pwSFR8a7zZ17XGr5a4ui
c99Z9TBOcWMsVRN5NeqcpPS+D3aRanNs7hgDIzi2r3mIv/5Q4+tvYu9aCQVPwEoJ
UaGzsvaz5+vTUbe6RjM945HyN0+KDWJsgCHAN8eKBX0M8HfsKYT21JRLufnkP8jn
dhkAQ112Y6UUMUCzHFVZSd0cfcU3N/LaKdPRLR9QgqfG+ow4T43hPFvPkgI3wCvS
TRzSBD0vfUZZwIUNA5AqVShpOncx1mgOiDtZNSvJsC80Tt/uLXeEpd9TOGx1VrlO
fNOqpOGCA58y1y8gR0RNG2NQYAdXnQ6JIWLVEQglyatrXqxtBty9JAkV4A0hol51
8OsPOZR0FY4=
=srGq
-----END PGP SIGNATURE-----