Vulnerability Note VU#409555

Juniper JunOS Routing Engine MPLS denial of service

Original Release date: 26 Jan 2005 | Last revised: 01 May 2006

Overview

Juniper routers will become severely disrupted when attacked with specially-crafted MPLS packets.

Description

Juniper routers running JUNOS have a vulnerability in which specially-crafted MPLS packets can cause normal operation of affected routers to be severely disrupted.

According to Juniper's security bulletin PSN-2005-02-004:

    When an M-series or T-series Juniper routing platform receives
    certain MPLS packets, the packets are immediately delivered to the
    Routing Engine (RE) for further processing.  This occurs even if
    packets are received on an interface which is not enabled for MPLS
    processing, or if the router is not configured to process MPLS
    packets at all.  Furthermore, these MPLS packets are delivered without
    any further processing by the hardware, thus bypassing all
    attempts at limiting the number of, or otherwise filtering, the
    packets.  A large stream of these MPLS packets can overload
    internal communication paths and interfere with the timely
    processing of other packets.


It is important to note an attacker does not need to directly connected to a router in order to exploit this vulnerability. According to PSN-2005-02-004:

    This vulnerability can be exploited by an attacker directly
    attached to a Juniper Networks M-series or T-series routing
    platform, even if the interface to which the attacker is attached
    is not enabled for MPLS.  An attacker not directly attached to the
    routing platform can exploit this vulnerability on transit Label
    Switch Routers within an Internet Service Provider's MPLS-enabled
    core network.  

Please see the Juniper Vendor statement document for additional configuration changes that may provide partial mitigation of one potential attack vector.

Impact

A remote, unauthenticated attacker may cause severe operational disruption to affected Juniper routers. Affected routers will suffer an effective denial of routing service when this vulnerability is exploited.

Solution

Please see the vendor statement with relevant patches. Users registered at Juniper's support site should visit https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2005-02-004&actionBtn=Search
This vulnerability is present in all JUNOS software releases built prior to January 6, 2005.

According to Juniper, it is not possible to use network filters to protect vulnerable routers. Vulnerable routers must be updated in order to completely mitigate this vulnerability.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Juniper Networks, Inc.Affected26 Jan 200501 May 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Juniper has thanked Qwest Communication Software Certification team for bringing this issue to their attention.

This document was written by Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CVE-2004-0467
  • Date Public: 26 Jan 2005
  • Date First Published: 26 Jan 2005
  • Date Last Updated: 01 May 2006
  • Severity Metric: 7.09
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.