The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Juniper JunosE

vulnerability announce CVE-2013-0149

OSPF: corrupting the routing database

Synthesis of the vulnerability

An attacker can spoof OSPF messages, in order to corrupt the routing database.
Impacted products: CheckPoint IP Appliance, IPSO, CheckPoint Security Gateway, Cisco ASR, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, Nexus by Cisco, NX-OS, Cisco Router, ProCurve Switch, HP Switch, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NetScreen Firewall, ScreenOS, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: data creation/edition, data deletion.
Provenance: internet client.
Creation date: 02/08/2013.
Revisions dates: 01/08/2014, 14/02/2017.
Identifiers: BID-61566, c03880910, CERTA-2013-AVI-458, CERTA-2013-AVI-487, CERTA-2013-AVI-508, cisco-sa-20130801-lsaospf, CQ95773, CSCug34469, CSCug34485, CSCug39762, CSCug39795, CSCug63304, CVE-2013-0149, HPSBHF02912, JSA10575, JSA10580, JSA10582, PR 878639, PR 895456, sk94490, SUSE-SU-2014:0879-1, VIGILANCE-VUL-13192, VU#229804.

Description of the vulnerability

The RFC 2328 defines the OSPF protocol (Open Shortest Path First) which established IP routes, using LSA (Link State Advertisement) messages.

The LSA Type 1 Update (LSU, Link-State Update) message is used to update the routing database. However, the RFC does not request to check the "Link State ID" and "Advertising Router" fields of LSU messages. Several implementations (Cisco, Juniper, etc.) therefore do not perform this check.

An attacker can thus spoof a LSU message if he knows:
 - the IP address of the target router
 - LSA DB sequence numbers
 - the router ID of the OSPF Designated Router

An attacker can therefore spoof OSPF messages, in order to corrupt the routing database.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-4925

JUNOSe: denial of service via IPv6

Synthesis of the vulnerability

An attacker can send malicious IPv6 packets to JUNOSe, in order to trigger a denial of service.
Impacted products: Juniper E-Series, JUNOSe.
Severity: 3/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 13/10/2016.
Identifiers: CERTFR-2016-AVI-344, CVE-2016-4925, JSA10767, VIGILANCE-VUL-20858.

Description of the vulnerability

The JUNOSe product has a service to manage received IPv6 packets.

However, when malicious IPv6 packets are received, a fatal error occurs.

An attacker can therefore send malicious IPv6 packets to JUNOSe, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-1409

Cisco, Junos: denial of service via IPv6 Neighbor Discovery

Synthesis of the vulnerability

An attacker can send a malicious IPv6 Neighbor Discovery packet to Cisco or Junos, in order to trigger a denial of service.
Impacted products: ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Cisco Router, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service.
Provenance: LAN.
Creation date: 26/05/2016.
Revisions dates: 27/05/2016, 01/06/2016, 02/06/2016, 06/06/2016, 04/07/2016.
Identifiers: cisco-sa-20160525-ipv6, CSCuz66542, CSCuz79330, CVE-2016-1409, JSA10749, VIGILANCE-VUL-19702.

Description of the vulnerability

The Cisco or Junos product has a service to manage received IPv6 Neighbor Discovery packets.

However, when a malicious packet is received, a fatal error occurs.

An attacker can therefore send a malicious IPv6 Neighbor Discovery packet to Cisco or Junos, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-6377

JunosE: denial of service via ICMP

Synthesis of the vulnerability

An attacker can send a malicious ICMP packet to JunosE, in order to trigger a denial of service.
Impacted products: Juniper E-Series, JUNOSe.
Severity: 3/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 08/10/2014.
Revision date: 10/10/2014.
Identifiers: CERTFR-2014-AVI-412, CVE-2014-6377, JSA10651, VIGILANCE-VUL-15449.

Description of the vulnerability

The JunosE product can log ICMP packets with "icmpTraffic logging".

However, when a malicious ICMP packet is received, a fatal error occurs in SRP.

An attacker can therefore send a malicious ICMP packet to JunosE, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2013-7306 CVE-2013-7307 CVE-2013-7308

OSPF: corrupting the routing database

Synthesis of the vulnerability

An attacker can spoof OSPF messages, in order to corrupt the routing database.
Impacted products: CheckPoint IP Appliance, IPSO, CheckPoint Security Gateway, Cisco ASR, ASA, Cisco Catalyst, IOS by Cisco, IOS XE Cisco, Nexus by Cisco, NX-OS, Cisco Router, ProCurve Switch, HP Switch, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NetScreen Firewall, ScreenOS.
Severity: 3/4.
Consequences: data creation/edition, data deletion.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 9.
Creation date: 28/01/2014.
Identifiers: BID-65140, BID-65157, BID-65161, BID-65162, BID-65163, BID-65166, BID-65167, BID-65169, BID-65170, c03880910, CERTA-2013-AVI-487, cisco-sa-20130801-lsaospf, CSCug34469, CSCug34485, CSCug39762, CSCug39795, CSCug63304, CVE-2013-7306, CVE-2013-7307, CVE-2013-7308, CVE-2013-7309, CVE-2013-7310, CVE-2013-7311, CVE-2013-7312, CVE-2013-7313, CVE-2013-7314, HPSBHF02912, JSA10575, JSA10580, sk94490, VIGILANCE-VUL-14148, VU#229804.

Description of the vulnerability

The RFC 2328 defines the OSPF protocol (Open Shortest Path First) which established IP routes, using LSA (Link State Advertisement) messages.

The LSA Type 1 Update (LSU, Link-State Update) message is used to update the routing database. However, the RFC does not request to check the "Link State ID" and "Advertising Router" fields of LSU messages. Several implementations do not check for duplicates before editing their databases.

An attacker can therefore spoof OSPF messages, in order to corrupt the routing database.

This vulnerability is similar to VIGILANCE-VUL-13192.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2010-4669 CVE-2010-4670 CVE-2010-4671

Cisco IOS, ASA, BSD, Juniper, Windows: denial of service via IPv6 ND RA

Synthesis of the vulnerability

An attacker can send IPv6 Neighbor Discovery Router Advertisement packets, in order to create a denial of service in several products.
Impacted products: ASA, IOS by Cisco, Cisco Router, FreeBSD, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, NetBSD.
Severity: 1/4.
Consequences: denial of service on server.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/01/2011.
Revision date: 06/04/2011.
Identifiers: BID-45760, BID-49409, CSCti24526, CSCti33534, CVE-2010-4669, CVE-2010-4670, CVE-2010-4671, CVE-2011-2393, VIGILANCE-VUL-10266.

Description of the vulnerability

The IPv6 Neighbor Discovery protocol uses 5 types of packets (RFC 4861):
 - Router Solicitation : query the Ethernet address of a gateway
 - Router Advertisement : answer indicating the gateway
 - etc.

When the system receives several Router Advertisement packets using different IP addresses, a lot of resources are consumed to process them.

An attacker can therefore send IPv6 Neighbor Discovery Router Advertisement packets, in order to create a denial of service in several products.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 8437

BGP: denial of service via AS4_PATH

Synthesis of the vulnerability

An attacker can use the AS4_PATH attribute in order to stop sessions of bgpd daemons.
Impacted products: Juniper E-Series, JUNOSe, OpenBSD, BGP protocol.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 02/02/2009.
Identifiers: BID-33553, CQ 88706, PSN-2008-12-130, VIGILANCE-VUL-8437.

Description of the vulnerability

The RFC 4893 extents the BGP protocol to support ASN (Autonomous System Number) on 4 bytes, instead of 2 bytes. The AS4_PATH and AS4_AGGREGATOR attributes can contain ASN on 4 bytes.

An AS Confederation (RFC 3065) is a collection of AS identified with only one ASN.

According to the RFC 4893, the AS4_PATH attribute must not contain a confederation path. The RFC does not clearly indicate how to handle this error case. Some bgpd daemons close the session.

Morever, an UPDATE message with a malicious AS4_PATH attribute can go through several routers not supporting AS4_PATH before being received on a router implementing the RFC.

An attacker can therefore send a UPDATE message with a malicious AS4_PATH attribute in order to create a denial of service on remote routers.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2008-2476 CVE-2008-4404 CVE-2009-0418

BSD, Juniper: changes in an IPv6 router

Synthesis of the vulnerability

An attacker on the LAN can send a Neighbor Solicitation packet in order to change information on the router related to a computer on another LAN.
Impacted products: BIG-IP Hardware, TMOS, FreeBSD, HP-UX, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, NetBSD, OpenBSD.
Severity: 2/4.
Consequences: data reading, denial of service on server.
Provenance: LAN.
Number of vulnerabilities in this bulletin: 3.
Creation date: 02/10/2008.
Revision date: 02/10/2008.
Identifiers: BID-31529, c01662367, CERTA-2008-AVI-486, CERTA-2009-AVI-049, CVE-2008-2476, CVE-2008-4404, CVE-2009-0418, FreeBSD-SA-08:10.nd6, HPSBUX02407, NetBSD-SA2008-013, SOL9528, SSRT080107, VIGILANCE-VUL-8140, VU#472363.

Description of the vulnerability

A router has two or several LAN connected to different physical interfaces.

The IPv6 Neighbor Discovery protocol uses 5 types of packets (RFC 4861):
 - Neighbor Solicitation : query the link layer (Ethernet) address of a neighbor form its IP address
 - Neighbor Advertisement : answer
 - etc.

When the router receives a Neighbor Solicitation packet, it keeps in cache information about the sender (under FreeBSD, by calling the nd6_cache_lladdr() function of netinet6/nd6.c at the end of the function nd6_ns_input()). However, an attacker can spoof the IP address of a computer on another LAN, in order to force the memorization of this address associated to the bad physical interface.

An attacker can therefore create a denial of service, an possibly obtain packets for the spoofed IP address.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-1447

DNS: cache poisoning

Synthesis of the vulnerability

An attacker can predict DNS queries in order to poison the DNS client or cache (caching resolver).
Impacted products: ProxyRA, ProxySG par Blue Coat, IOS by Cisco, Cisco Router, Debian, Dnsmasq, BIG-IP Hardware, TMOS, Fedora, FreeBSD, MPE/iX, Tru64 UNIX, HP-UX, AIX, BIND, Juniper E-Series, Juniper J-Series, JUNOSe, Junos OS, Mandriva Linux, Mandriva NF, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform) ~ not comprehensive, Windows XP, NetBSD, NetScreen Firewall, ScreenOS, NLD, Netware, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, DNS protocol, RHEL, Slackware, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 3/4.
Consequences: data creation/edition.
Provenance: internet server.
Creation date: 09/07/2008.
Revisions dates: 22/07/2008, 24/07/2008, 25/07/2008.
Identifiers: 107064, 239392, 240048, 6702096, 7000912, 953230, BID-30131, c01506861, c01660723, CAU-EX-2008-0002, CAU-EX-2008-0003, CERTA-2002-AVI-189, CERTA-2002-AVI-200, cisco-sa-20080708-dns, CR102424, CR99135, CSCso81854, CVE-2008-1447, draft-ietf-dnsext-forgery-resilience-05, DSA-1544-2, DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1619-2, DSA-1623-1, FEDORA-2008-6256, FEDORA-2008-6281, FEDORA-2009-1069, FreeBSD-SA-08:06.bind, HPSBMP02404, HPSBTU02358, HPSBUX02351, MDVSA-2008:139, MS08-037, NetBSD-SA2008-009, powerdns-advisory-2008-01, PSN-2008-06-040, RHSA-2008:0533-01, RHSA-2008:0789-01, SOL8938, SSA:2008-191-02, SSA:2008-205-01, SSRT080058, SSRT090014, SUSE-SA:2008:033, TA08-190B, TLSA-2008-26, VIGILANCE-VUL-7937, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VU#800113.

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate an answer to its query. When attacker predicts this identifier and the UDP port number, he can send fake answers and thus poison the DNS cache.

Most implementation use a fixed port number, which increases the probability of a poisoning success. As there is only one chance of success during the TTL period, and as the poisoning does not work for each trial, this direct and old attack is not practical.

However, instead of poisoning the answer record, the attacker can poison additional records. Indeed, when the DNS client asks the address of www.example.com, the DNS server returns:
  www.example.com A 1.2.3.4 (answer)
  example.com NS dns.example.com (authoritative)
  dns.example.com A 1.2.3.5 (additional)

An attacker can therefore force the client to ask the resolution of several names (via a web page containing images for example): aaa.example.com, aab.example.com, ..., aaz.example.com. In his answers, the attacker then always provides the same additional malicious answer (www.example.com A 5.6.7.8). Even if, for example, only aab.example.com is poisoned, its additional record (www.example.com = 5.6.7.8) will be stored in the cache.

An attacker can therefore poison the DNS cache/client and redirect all users to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2006-2072 CVE-2006-2073 CVE-2006-2074

DNS: vulnerabilities of some implementations

Synthesis of the vulnerability

Several implementations of DNS protocol are affected by the same vulnerabilities.
Impacted products: Arkoon FAST360, Juniper E-Series, JUNOSe, DNS protocol, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 25/04/2006.
Identifiers: 144154, 144154/NISCC/DNS, 31AK-2006-02-FR-1.0_FAST_DNS_DOS, BID-17691, BID-17692, BID-17693, BID-17694, CQ 72492, CVE-2006-2072, CVE-2006-2073, CVE-2006-2074, CVE-2006-2075, CVE-2006-7054, PSN-2006-04-017, VIGILANCE-VUL-5796, VU#955777.

Description of the vulnerability

The DNS protocol is used to associate an IP address to a name, or to obtain MTA mail servers of a domain.

The OUSPG group of Oulu University (Finland) published a test suite named PROTOS DNS. This test suite contains several thousand malformed DNS packets.

When some products receive these packets, errors occur (buffer overflow or denial of service).

Depending on products, these vulnerabilities lead to code execution or to a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Juniper JunosE: