Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2278 A vulnerability has been identified in Juniper platforms and products running Junos OS 7 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Junos Publisher: Juniper Networks Operating System: Juniper Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-5390 Reference: ESB-2018.2275 ESB-2018.2271 Original Bulletin: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10876 - --------------------------BEGIN INCLUDED TEXT-------------------- 2018-08 Out of Cycle Security Bulletin: Junos platforms vulnerable to SegmentSmack attack [VU#962459] Article ID: JSA10876 Last Updated: 06 Aug 2018 Version: 1.0 - ------------------------------------------------------------------------------- Product Affected: This issue affects all products and platforms running Junos OS Problem: On August 6, 2018, the CERT/CC published VU#962459 describing a Linux kernel TCP implementation denial of service vulnerability. This issue, informally called "SegmentSmack", relies upon a crafted set of TCP segments over an established TCP session to create a resource denial of service. Internal testing has confirmed that both Linux-based (WRL, CentOS, RHEL) systems and FreeBSD-based products and platforms running Junos OS are vulnerable to the SegmentSmack attack (CVE-2018-5390). Crafted sequences of TCP/IP packets may allow a remote attacker to create a denial of service (DoS) condition on routing engines (REs) running Junos OS. The attack requires a successfully established two-way TCP connection to an open port. The rate of attack traffic is lower than typical thresholds for built-in Junos OS distributed denial-of-service (DDoS) protection, so additional configuration is required to defend against these issues on affected platforms. Refer to the WORKAROUND section for additional guidance. This issue was discovered by an external security researcher. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2018-5390. Solution: Platforms confirmed to be vulnerable include, but are not limited to: o MX80 o MX480 o QFX5100 o NFX 150/250 o QFX5100 o QFX5200 o QFX10008 o PTX10008 o vMX, vSRX, vQFX, vPTX, etc. Other platforms are still under investigation and continue to be tested by the Juniper SIRT. Since the attack requires a successfully established two-way TCP connection to an open port, security best current practice of limiting the exploitable attack surface of critical infrastructure networking equipment will mitigate this issue. Refer to the WORKAROUND section for additional guidance. As software releases are updated to resolve this specific issue, this Juniper Security Advisory (JSA) will be updated. Workaround: The TCP segment attack can be mitigated by using access lists or firewall filters to limit access to the device only from trusted hosts. Enable source address validation such as uRPF to defend against attacks that rely upon an established two-way TCP session to a reachable open port. Additionally, the following IDP anomaly signatures may reduce the risk to devices from these types of attacks: Anomaly Name: TCP:ERROR:REASS-MEMORY-OVERFLOW Description: This protocol anomaly triggers when it detects a TCP Reassembler that has exhausted all allocated memory for storing unacknowledged packets Recommended action: Drop Test String: REASS_MEMORY_OVERFLOW Note: Memory threshold for the IDP-reassembler can be configured using IDP sensor configuration. Anomaly Name: TCP:ERROR:FLOW-MEMORY-EXCEEDED Description: This protocol anomaly triggers when it detects that the TCP Reassembler has too many packets stored in memory for a connection. This can indicate an anti-IDS attack. This anomaly can be ignored in sniffer mode or in case of asymmetric routing. Recommended action: Drop Test String: FLOW_MEMORY_OVERFLOW Note: Memory threshold for per flow in-memory segments can be configured using IDP sensor configuration. Implementation: Software Releases, patches and updates are available at https://www.juniper.net /support/downloads/ Modification History: o 2018-08-06: Initial Publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed- o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2018-5390: TCP denial of service CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW2jupmaOgq3Tt24GAQgXuxAAxcJeFWkt/lBWq91/k/RjXLPnP7P9tgx7 Fq37cODIp+DCB/HrMh+r+FHQp+Oc+ywQY4cyLuupfo+iS/wTYpuw/jGBIPLHwvk4 qjN4V6Xr36c54+Bl5PPPUQi9ID6FI3OCBPoI8Ofiu17M1M9UGFIzKlKJPKzHr/EY +k1csD0P6+WGTFHQl+Btagkxj4n5QN36Pyw5bXGYYpxfEg78sT2wboKdE68Zk2Jg dcwFeXm4tWkaZUeubl87UIK4+tb7LOKPSt5v+TWmBOcm27GqkEbLaNrZqmCjxlfH 4U6TL9SSs2GaIrvlxqBzYnjlJgshh0CWr0uo7h0mS8UPVvOvGBT0vZCsO7iJ9kmc 0m2/GQ58O1miPO2czq2IfkpkNaaIbSqwQFazrhWXRFOD/hpd+XDoSCzjQpp/aoIM spuxSrwmPM5p1EpaEMuuG11XVRyrqMCdNB5QG8Udkzz/JmSRpGPBoOn4/d3h4uJ3 2nL7OdwDYoZg+BArDew5jINGb9DP887hBR9YZJDOQ4TirazxjnWXiNCKI2bbPVal YcWFZr6u3fh4sL0Npi+SkFf3StZDgbotSzXYPJs0WXeUXp+j/xFcBCHQooZ4EDMj Wq/LNgvH1dZ8CXPRd0BdLPkTLYaU7umYUK4G/YgdZqIpuNHPabgZrfxm4LnQOymV nuD7xbYg96w= =r/YJ -----END PGP SIGNATURE-----