Juniper Junos 12.1 on SRX Sun/MS-RPC ALG resource consumption

Summaryinfo

A vulnerability identified as problematic has been detected in Juniper Junos 12.1 on SRX. This issue affects some unknown processing of the component Sun/MS-RPC ALG. The manipulation leads to resource consumption. This vulnerability is uniquely identified as CVE-2017-10608. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Juniper Junos 12.1 on SRX (Router Operating System). It has been rated as problematic. This issue affects some unknown functionality of the component Sun/MS-RPC ALG. The manipulation with an unknown input leads to a resource consumption vulnerability. Using CWE to declare the problem leads to CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Impacted is availability. The summary by CVE is:

Any Juniper Networks SRX series device with one or more ALGs enabled may experience a flowd crash when traffic is processed by the Sun/MS-RPC ALGs. This vulnerability in the Sun/MS-RPC ALG services component of Junos OS allows an attacker to cause a repeated denial of service against the target. Repeated traffic in a cluster may cause repeated flip-flop failure operations or full failure to the flowd daemon halting traffic on all nodes. Only IPv6 traffic is affected by this issue. IPv4 traffic is unaffected. This issues is not seen with to-host traffic. This issue has no relation with HA services themselves, only the ALG service. No other Juniper Networks products or platforms are affected by this issue. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D55 on SRX; 12.1X47 prior to 12.1X47-D45 on SRX; 12.3X48 prior to 12.3X48-D32, 12.3X48-D35 on SRX; 15.1X49 prior to 15.1X49-D60 on SRX.

The bug was discovered 10/11/2017. The weakness was disclosed 10/13/2017 (Website). The advisory is shared at kb.juniper.net. The identification of this vulnerability is CVE-2017-10608 since 06/28/2017. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1499 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 104033 (Juniper Junos SRX Flowd Crash Vulnerability (JSA10811)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Junos Local Security Checks and running in the context c. The commercial vulnerability scanner Qualys is able to test this issue with plugin 43609 (Juniper Junos Denial of Service (flowd crash) Vulnerability (JSA10811)).

Upgrading eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (104033). The entries VDB-107841, VDB-107839, VDB-107838 and VDB-107836 are pretty similar. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Router Operating System

Vendor

• Juniper

Name

• Junos

Version

• 12.1

License

• commercial

Website

• Vendor: https://www.juniper.net/

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion