Vulnerabilities > CVE-2013-4687 - Denial of Service vulnerability in Juniper Networks Junos SRX Series Services Gateway

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
juniper
nessus

Summary

flowd in Juniper Junos 10.4 before 10.4S14, 11.2 and 11.4 before 11.4R6-S2, and 12.1 before 12.1R6 on SRX devices, when certain Application Layer Gateways (ALGs) are enabled, allows remote attackers to cause a denial of service (daemon crash) via crafted TCP packets, aka PRs 727980, 806269, and 835593.

Nessus

NASL familyJunos Local Security Checks
NASL idJUNIPER_JSA10577.NASL
descriptionAccording to its self-reported version number, the remote Junos device has a denial of service vulnerability. SRX Series devices with TCP-based Application Layer Gateways (ALGs) can crash when receiving specially crafted TCP packets. A remote, unauthenticated attacker could exploit this to crash the device.
last seen2020-06-01
modified2020-06-02
plugin id68910
published2013-07-16
reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/68910
titleJuniper Junos SRX Series TCP ALG DoS (JSA10577)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(68910);
  script_version("1.6");
  script_cvs_date("Date: 2018/07/12 19:01:15");

  script_cve_id("CVE-2013-4687");
  script_bugtraq_id(61122);

  script_name(english:"Juniper Junos SRX Series TCP ALG DoS (JSA10577)");
  script_summary(english:"Checks version, model, and build date");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to its self-reported version number, the remote Junos device
has a denial of service vulnerability.  SRX Series devices with
TCP-based Application Layer Gateways (ALGs) can crash when receiving
specially crafted TCP packets.  A remote, unauthenticated attacker could
exploit this to crash the device."
  );
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10577");
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the relevant Junos upgrade referenced in Juniper advisory
JSA10577."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/16");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/model", "Host/Juniper/JUNOS/Version", "Host/Juniper/JUNOS/BuildDate");

  exit(0);
}

include("audit.inc");
include("junos.inc");
include("misc_func.inc");

model = get_kb_item_or_exit('Host/Juniper/model');
ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
build_date = get_kb_item_or_exit('Host/Juniper/JUNOS/BuildDate');

check_model(model:model, flags:SRX_SERIES, exit_on_fail:TRUE);

if (compare_build_dates(build_date, '2013-06-13') >= 0)
  audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver + ' (build date ' + build_date + ')');
if (ver == '11.4R6-S2')
  audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);

fixes['10.4'] = '10.4S14';
fixes['11.4'] = '11.4R7';
fixes['12.1'] = '12.1R6';
fix = check_junos(ver:ver, fixes:fixes);

# 11.2 is listed as affected, but there is no fix listed for it, probably because it's EOL
# versions are numbered based on year, there isn't going to be an 11.20 or anything like that
if (ver =~ "^11\.2")
  fix = 'n/a (11.2 is EOL)';

if (isnull(fix))
  audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);

if (report_verbosity > 0)
{
  report = get_report(ver:ver, fix:fix, model:model);
  security_hole(port:0, extra:report);
}
else security_hole(0);