Vulnerabilities > CVE-2014-6380 - Denial of Service vulnerability in Juniper Junos

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
juniper
nessus

Summary

Juniper Junos 11.4 before R11, 12.1 before R9, 12.1X44 before D30, 12.1X45 before D20, 12.1X46 before D15, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D15, 13.2X52 before D15, 13.3 before R1, when using an em interface to connect to a certain internal network, allows remote attackers to cause a denial of service (em driver bock and FPC reset or "go offline") via a series of crafted (1) CLNP fragmented packets, when clns-routing or ESIS is configured, or (2) IPv4 or (3) IPv6 fragmented packets.

Nessus

NASL familyJunos Local Security Checks
NASL idJUNIPER_JSA10655.NASL
descriptionAccording to its self-reported version number, the remote Juniper Junos device is affected by a denial of service vulnerability. A remote attacker can exploit this issue by sending a set of specially crafted fragmented packets to cause the
last seen2019-10-28
modified2014-10-14
plugin id78426
published2014-10-14
reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/78426
titleJuniper Junos 'em' Interface Fragmentation Remote DoS (JSA10655)
code
#TRUSTED 7835874be57d33246ef48085a5e4daa57e7ede06d0ad1d88e33b3f378ae616e325a60821072132d7bbaf3e3d831f56f0e65ff23928df004b67179d9a9bcd25ca27de116da868607ae95add728c7154b404ca1471abc3ef62922ad38557ec374bdc4ce19b8edce0f9ced754195af876da26737962df55f5c73702fb118bc7e87d37d8c696eb3f71b8d133dbe53a6ecf387c8eecfba99acfa2bf4308ab1af7ec8514ac400841622cefd61cb59221818230ba152c3dbf60b1da7390c20bf68700349314b8284609e7391382f13ca5b806d50d9bc425c5241141ccc2ff5cddbe22d2f266280429bc54e1b5bd3d2bff7d1bab992fa636fd34944a41d60b997a6947965c233738ca22ab7b3e53b2362a0b2bcbcf5a323e2f39db41a258c73f677d14548e5d0872b7e5b09ac001ddf442a97400bd2319c0ec5fbab9a39cc0786c3dd99630cc9a216d3b08db6af90f158f38a484c78c527196ad6d74b6d42b465036bc27b48a3d5d8b1766a3fbe5df85226aaf5d7f1bc5479273fdade261e591997f70c2687db85a63353494625c9cfd9ace0c8dfa2cb71440e54a75f5b55e1422d8e372b176b05e60745e4ec1ba3b4f349961fcd102399633c6f3a66ac6bb0a43e80a70a6eff5bc9b5ea16058f41deabb7b2a46aa0342e42eca76e892dc97dad381fac7846e4259c5e967ed0c78c739197d8e6524702f9537395b7ac8b265e4c9ce4855
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(78426);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/12");

  script_cve_id("CVE-2014-6380");
  script_bugtraq_id(70369);
  script_xref(name:"JSA", value:"JSA10655");

  script_name(english:"Juniper Junos 'em' Interface Fragmentation Remote DoS (JSA10655)");
  script_summary(english:"Checks the Junos version, model, and configuration.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Juniper
Junos device is affected by a denial of service vulnerability. A
remote attacker can exploit this issue by sending a set of specially
crafted fragmented packets to cause the 'em' driver to become
permanently blocked when trying to formulate a reply.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10655");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10655.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/10/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/01/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/10/14");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/model", "Host/Juniper/JUNOS/Version");

  exit(0);
}

include("audit.inc");
include("junos_kb_cmd_func.inc");
include("misc_func.inc");

ver   = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');

check_model(
  model:model,
  flags:EX_SERIES | M_SERIES | MX_SERIES | PTX_SERIES | QFX_SERIES | SRX_SERIES | T_SERIES,   exit_on_fail:TRUE
);

if (model =~ '^SRX[0-9]+' && model !~ '^SRX5[468]00($|[^0-9])')
  audit(AUDIT_HOST_NOT, "SRX5400/5600/5800");

fixes = make_array();
fixes['11.4']    = '11.4R11';
fixes['12.1']    = '12.1R9';
fixes['12.1X44'] = '12.1X44-D30';
fixes['12.1X45'] = '12.1X45-D20';
fixes['12.1X46'] = '12.1X46-D15';
fixes['12.1X47'] = '12.1X47-D10';
fixes['12.2']    = '12.2R8';
fixes['12.2X50'] = '12.2X50-D70';
fixes['12.3R6']  = '12.3R6';
fixes['13.1']    = '13.1R4';
fixes['13.1X49'] = '13.1X49-D55';
fixes['13.1X50'] = '13.1X50-D30';
fixes['13.2']    = '13.2R4';
fixes['13.2X50'] = '13.2X50-D20';
fixes['13.2X51'] = '13.2X51-D15';
fixes['13.2X52'] = '13.2X52-D15';
fixes['13.3']    = '13.3R1';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

# Check for CLNS routing and ESIS
override = TRUE;

buf = junos_command_kb_item(cmd:"show configuration | display set");
if (buf)
{
  patterns = make_list(
    "^set routing-instances \S+ protocols esis",
    "^set routing-instances \S+ protocols isis clns-routing"
  );
  foreach pattern (patterns)
    if (junos_check_config(buf:buf, pattern:pattern)) override = FALSE;

  if (override) audit(AUDIT_HOST_NOT,
    'affected because neither CLNS routing or ESIS are enabled');

  # 'em' interfaces are the only affected interfaces
  buf = junos_command_kb_item(cmd:"show interfaces");
  if (buf)
  {
    pattern = "^Physical interface:\s+em[0-9]+, Enabled, Physical link is Up";
    if (!preg(string:buf, pattern:pattern, icase:TRUE, multiline:TRUE))
      audit(AUDIT_HOST_NOT, 'affected because no em interfaces were detected');
    override = FALSE;
  }
}

junos_report(ver:ver, fix:fix, model:model, override:override, severity:SECURITY_HOLE);