-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
A vulnerability has been identified in Juniper platforms and
products running Junos OS
7 August 2018
AusCERT Security Bulletin Summary
Product: Juniper Junos
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Denial of Service -- Remote/Unauthenticated
CVE Names: CVE-2018-5390
- --------------------------BEGIN INCLUDED TEXT--------------------
2018-08 Out of Cycle Security Bulletin: Junos platforms vulnerable to
SegmentSmack attack [VU#962459]
Article ID: JSA10876
Last Updated: 06 Aug 2018
This issue affects all products and platforms running Junos OS
On August 6, 2018, the CERT/CC published VU#962459 describing a Linux kernel
TCP implementation denial of service vulnerability. This issue, informally
called "SegmentSmack", relies upon a crafted set of TCP segments over an
established TCP session to create a resource denial of service. Internal
testing has confirmed that both Linux-based (WRL, CentOS, RHEL) systems and
FreeBSD-based products and platforms running Junos OS are vulnerable to the
SegmentSmack attack (CVE-2018-5390).
Crafted sequences of TCP/IP packets may allow a remote attacker to create a
denial of service (DoS) condition on routing engines (REs) running Junos OS.
The attack requires a successfully established two-way TCP connection to an
open port. The rate of attack traffic is lower than typical thresholds for
built-in Junos OS distributed denial-of-service (DDoS) protection, so
additional configuration is required to defend against these issues on affected
platforms. Refer to the WORKAROUND section for additional guidance.
This issue was discovered by an external security researcher.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue has been assigned CVE-2018-5390.
Platforms confirmed to be vulnerable include, but are not limited to:
o NFX 150/250
o vMX, vSRX, vQFX, vPTX, etc.
Other platforms are still under investigation and continue to be tested by the
Since the attack requires a successfully established two-way TCP connection to
an open port, security best current practice of limiting the exploitable attack
surface of critical infrastructure networking equipment will mitigate this
issue. Refer to the WORKAROUND section for additional guidance.
As software releases are updated to resolve this specific issue, this Juniper
Security Advisory (JSA) will be updated.
The TCP segment attack can be mitigated by using access lists or firewall
filters to limit access to the device only from trusted hosts. Enable source
address validation such as uRPF to defend against attacks that rely upon an
established two-way TCP session to a reachable open port.
Additionally, the following IDP anomaly signatures may reduce the risk to
devices from these types of attacks:
Anomaly Name: TCP:ERROR:REASS-MEMORY-OVERFLOW
Description: This protocol anomaly triggers when it detects a TCP Reassembler
that has exhausted all allocated memory for storing unacknowledged packets
Recommended action: Drop
Test String: REASS_MEMORY_OVERFLOW
Note: Memory threshold for the IDP-reassembler can be configured using IDP
Anomaly Name: TCP:ERROR:FLOW-MEMORY-EXCEEDED
Description: This protocol anomaly triggers when it detects that the TCP
Reassembler has too many packets stored in memory for a connection. This can
indicate an anti-IDS attack. This anomaly can be ignored in sniffer mode or in
case of asymmetric routing.
Recommended action: Drop
Test String: FLOW_MEMORY_OVERFLOW
Note: Memory threshold for per flow in-memory segments can be configured using
IDP sensor configuration.
Software Releases, patches and updates are available at https://www.juniper.net
o 2018-08-06: Initial Publication
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
o KB16765: In which releases are vulnerabilities fixed-
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
o Report a Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
o CVE-2018-5390: TCP denial of service
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----