search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Juniper JUNOS IPv6 denial-of-service vulnerability

Vulnerability Note VU#294036

Original Release Date: 2006-07-11 | Last Revised: 2006-07-17

Overview

Juniper JUNOS Internet Software contains a vulnerability in IPv6 handling that could allow a remote attacker to cause a denial of service.

Description

Juniper router operating system software (JUNOS) does not properly free memory allocated for certain IPv6 packets. If a fixed amount of memory is exhausted, the system will crash. An attacker could exploit this vulnerability using specially crafted IPv6 packets.

Juniper T, M, and J-series routers running versions of JUNOS 6.4 - 8.0 built prior to May 10, 2006 are affected. Juniper's bug ID for this vulnerability is PR/67593.

Impact

A remote attacker could cause a denial of service on an affected device. Systems or networks that rely on a vulnerable router for connectivity would also be affected as a result.

Solution

Upgrade
Juniper has released updated versions of JUNOS. Please visit the Juniper support site (JTAC Security Bulletin PSN-2006-06-017, login required) for more information. There is also a public version of JTAC Security Bulletin PSN-2006-06-017.


Workarounds

Disable IPv6

Sites that are unable to update or do not require IPv6 should consider removing all IPv6 configuration parameters from the router.

Vendor Information

294036
Expand all

Juniper Networks, Inc.

Updated:  July 11, 2006

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see JTAC Security Bulletin PSN-2006-06-017 (login required) for more information. There is also a public version of JTAC Security Bulletin PSN-2006-06-017.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Juniper for reporting this vulnerability.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2006-3529
Severity Metric: 11.23
Date Public: 2006-07-10
Date First Published: 2006-07-11
Date Last Updated: 2006-07-17 13:48 UTC
Document Revision: 30

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.