search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Juniper JunOS Routing Engine MPLS denial of service

Vulnerability Note VU#409555

Original Release Date: 2005-01-26 | Last Revised: 2006-05-01

Overview

Juniper routers will become severely disrupted when attacked with specially-crafted MPLS packets.

Description

Juniper routers running JUNOS have a vulnerability in which specially-crafted MPLS packets can cause normal operation of affected routers to be severely disrupted.

According to Juniper's security bulletin PSN-2005-02-004:

    When an M-series or T-series Juniper routing platform receives
    certain MPLS packets, the packets are immediately delivered to the
    Routing Engine (RE) for further processing.  This occurs even if
    packets are received on an interface which is not enabled for MPLS
    processing, or if the router is not configured to process MPLS
    packets at all.  Furthermore, these MPLS packets are delivered without
    any further processing by the hardware, thus bypassing all
    attempts at limiting the number of, or otherwise filtering, the
    packets.  A large stream of these MPLS packets can overload
    internal communication paths and interfere with the timely
    processing of other packets.


It is important to note an attacker does not need to directly connected to a router in order to exploit this vulnerability. According to PSN-2005-02-004:

    This vulnerability can be exploited by an attacker directly
    attached to a Juniper Networks M-series or T-series routing
    platform, even if the interface to which the attacker is attached
    is not enabled for MPLS.  An attacker not directly attached to the
    routing platform can exploit this vulnerability on transit Label
    Switch Routers within an Internet Service Provider's MPLS-enabled
    core network.  

Please see the Juniper Vendor statement document for additional configuration changes that may provide partial mitigation of one potential attack vector.

Impact

A remote, unauthenticated attacker may cause severe operational disruption to affected Juniper routers. Affected routers will suffer an effective denial of routing service when this vulnerability is exploited.

Solution

Please see the vendor statement with relevant patches. Users registered at Juniper's support site should visit https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2005-02-004&actionBtn=Search
This vulnerability is present in all JUNOS software releases built prior to January 6, 2005.

According to Juniper, it is not possible to use network filters to protect vulnerable routers. Vulnerable routers must be updated in order to completely mitigate this vulnerability.

Vendor Information

409555
 
Affected   Unknown   Unaffected

Juniper Networks, Inc.

Notified:  January 26, 2005 Updated:  May 01, 2006

Status

  Vulnerable

Vendor Statement

Bulletin Number: PSN-2005-02-004

Title: Denial of Service Vulnerability for certain MPLS Packets

Products Affected: All M-series and T-series routing platforms

Platforms Affected: JUNOS 3.x, JUNOS 4.x, JUNOS 5.x, JUNOS 6.x,
                    JUNOS 7.x, Security

Issue:
    (NOTE: This document updates and supersedes PSN-2005-01-010)

    When an M-series or T-series Juniper routing platform receives
    certain MPLS packets, the packets are immediately delivered to the
    Routing Engine (RE) for further processing.  This occurs even if
    packets are received on an interface which is not enabled for MPLS
    processing, or if the router is not configured to process MPLS
    packets at all.  Furthermore, these MPLS packets are delivered without
    any further processing by the hardware, thus bypassing all
    attempts at limiting the number of, or otherwise filtering, the
    packets.  A large stream of these MPLS packets can overload
    internal communication paths and interfere with the timely
    processing of other packets.

    As a result, packets associated with routing protocols, link-layer
    management, and network traffic terminating on the router can be
    interrupted.  Routing protocol adjacencies may be lost, telnet and
    ssh sessions may stall or time out, or interfaces may appear to
    "flap" for no apparent reason.  The packet stream therefore
    creates a Denial of Service attack against the routing platform.

    Symptoms of an attack in progress might include CPU utilization on
    the RE being somewhat higher than usual, however the utilization
    will not typically reach levels high enough to trigger alarms.  
    Traffic rates on the internal fxp1 interface that connects the RE
    to the Packet Forwarding Engine (PFE) will approach its maximum
    capacity.  

    This vulnerability can be exploited by an attacker directly
    attached to a Juniper Networks M-series or T-series routing
    platform, even if the interface to which the attacker is attached
    is not enabled for MPLS.  An attacker not directly attached to the
    routing platform can exploit this vulnerability on transit Label
    Switch Routers within an Internet Service Provider's MPLS-enabled
    core network.  

    This vulnerability is specific to Juniper Networks M-series and T-
    series routers running JUNOS software releases built prior to
    January 6, 2005.  J-series routers and routers that do not run
    JUNOS software are not susceptible to this vulnerability.  Juniper
    Networks is not aware of any actual or attempted exploit of this
    vulnerability.

    Juniper Networks would like to thank Qwest Communications and
    their Software Certification team for identifying this issue as a
    security vulnerability within Juniper Networks products.


Solution:
    The JUNOS software has been modified to limit the volume of MPLS
    traffic forwarded to the Routing Engine, thereby preventing these
    packets from consuming all bandwidth on the internal communication
    path.  Additional software changes were made to completely ignore
    MPLS packets arriving on non-MPLS-enabled interfaces.

    All versions of JUNOS software built on or after January 20, 2005
    contain the modified code.  Software built between January 6 and
    January 20 may contain the modified code, depending on the
    specific JUNOS release.

Solution Implementation:
    All customers are strongly encouraged to upgrade their software to
    a release that contains the modified code.  Pointers to software
    releases with the corrected code can be found in the Related Links
    section below.  Customers can also contact Juniper Network's
    Technical Assistance Center for download assistance.

    As a partial work-around, either of the no-decrement-ttl or the
    no-propagate-ttl configuration options can be used to reduce the
    exposure to this vulnerability from remote attackers.  These
    configuration options prevent the attacker from affecting transit
    Label Switch Routers (LSR) in the Service Provider's core network.  
    However, the configuration options do not protect against directly-
    attached attackers, nor do they protect the egress LSRs in an
    RFC2547bis Layer-3 Virtual Private Network environment.

    Important Note!
    Use of these configuration knobs on M-series routers can introduce
    anomalous MPLS TTL behavior when the router is running JUNOS
    release 6.4 or 7.0.  IPv4 packets that transit an MPLS core network
    can leave an LSP with a TTL value greater than when the packet
    entered the LSP.  This anomolous TTL behavior is a regression
    created by an unrelated change in the code, and is tracked within
    Juniper as PR/56025.

Risk Level: High

Risk Assessment:
    Both directly-attached and remote attackers can severely disrupt
    normal operation of the routing platform.  Exposure to remote
    attackers can be reduced (but not eliminated) by certain router
    configuration options;  however, attacks from directly-attached
    devices cannot be averted by simple configuration options.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Related Links (available to registered Juniper customers only):


Juniper Security Bulletin PSN-2005-02-004

Title: Security Vulnerability in JUNOS Software (CERT/CC VU#409555)

https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2005-02-004&actionBtn=Search

Software Upgrade Roadmap

https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2005-01-009&actionBtn=Search


We are tracking this issue as VU#409555. We have been notified by Juniper that they are tracking this issue internally under PR/8245. Please contact the Juniper Technical Assistance Center (JTAC) for more information:


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Juniper has thanked Qwest Communication Software Certification team for bringing this issue to their attention.

This document was written by Jeffrey S. Havrilla.

Other Information

CVE IDs: CVE-2004-0467
Severity Metric: 7.09
Date Public: 2005-01-26
Date First Published: 2005-01-26
Date Last Updated: 2006-05-01 20:04 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.