Vulnerabilities > CVE-2019-0055 - Unspecified vulnerability in Juniper Junos

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
juniper
nessus

Summary

A vulnerability in the SIP ALG packet processing service of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) to the device by sending specific types of valid SIP traffic to the device. In this case, the flowd process crashes and generates a core dump while processing SIP ALG traffic. Continued receipt of these valid SIP packets will result in a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS: 12.3X48 versions prior to 12.3X48-D61, 12.3X48-D65 on SRX Series; 15.1X49 versions prior to 15.1X49-D130 on SRX Series; 17.3 versions prior to 17.3R3 on SRX Series; 17.4 versions prior to 17.4R2 on SRX Series.

Nessus

  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10970.NASL
    descriptionThe version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the JSA10970 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id133303
    published2020-01-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133303
    titleJuniper JSA10970
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(133303);
      script_version("1.1");
      script_cvs_date("Date: 2020/01/29");
    
      script_cve_id(
        "CVE-2019-0047",
        "CVE-2019-0050",
        "CVE-2019-0054",
        "CVE-2019-0055",
        "CVE-2019-0057",
        "CVE-2019-0058",
        "CVE-2019-0059",
        "CVE-2019-0060",
        "CVE-2019-0062",
        "CVE-2019-0063",
        "CVE-2019-0064",
        "CVE-2019-0066",
        "CVE-2019-0067",
        "CVE-2019-0068",
        "CVE-2019-0073",
        "CVE-2019-0075"
      );
      script_xref(name:"IAVA", value:"2019-A-0388");
    
      script_name(english:"Juniper JSA10970");
      script_summary(english:"Checks the Junos version and build date.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "The version of tested product installed on the remote host is prior to
    tested version. It is, therefore, affected by a vulnerability as
    referenced in the JSA10970 advisory. Note that Nessus has not tested
    for this issue but has instead relied only on the application's self-
    reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16613");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16765");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16446");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA10970");
      script_set_attribute(attribute:"solution", value:
    "Apply the relevant Junos software release referenced in Juniper
    advisory JSA10970");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0047");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/29");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Junos Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("junos_version.nasl");
      script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");
    
      exit(0);
    }
    
    include('audit.inc');
    include('junos.inc');
    include('misc_func.inc');
    
    ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
    model = get_kb_item_or_exit('Host/Juniper/model');
    fixes = make_array();
    
    fixes['12.1X46'] = '12.1X46-D86';
    fixes['12.3'] = '12.3R12-S13';
    fixes['12.3X48'] = '12.3X48-D80';
    fixes['14.1X53'] = '14.1X53-D51';
    
    if (ver =~ "^15\.1F")
    fixes['15.1F'] = '15.1F6-S13';
    else
      fixes['15.1'] = '15.1R7-S4';
    
    fixes['15.1X49'] = '15.1X49-D171';
    fixes['15.1X53'] = '15.1X53-D69';
    fixes['16.1'] = '16.1R7-S5';
    fixes['16.2'] = '16.2R2-S9';
    fixes['17.1'] = '17.1R3';
    
    if (ver =~ "^17\.2R1")
      fixes['17.2'] = '17.2R1-S8';
    else if (ver =~ "^17\.2R2")
      fixes['17.2'] = '17.2R2-S7';
    else if (ver =~ "^17\.2R3")
      fixes['17.2'] = '17.2R3-S1';
    
    fixes['17.3'] = '17.3R3-S6';
    
    if (ver =~ "^17\.4R1")
      fixes['17.4'] = '17.4R1-S7';
    else if (ver =~ "^17\.4R2")
      fixes['17.4'] = '17.4R2-S4';
    else
      fixes['17.4'] = '17.4R3';
    
    fixes['18.1'] = '18.1R3-S5';
    
    if (ver =~ "^18\.2R1")
      fixes['18.2'] = '18.2R1-S5';
    else if (ver =~ "^18\.2R2")
      fixes['18.2'] = '18.2R2-S3';
    else
      fixes['18.2'] = '18.2R3';
    
    if (ver =~ "^18\.3R1")
      fixes['18.3'] = '18.3R1-S3';
    else if (ver =~ "^18\.3R2")
      fixes['18.3'] = '18.3R2';
    else if (ver =~ "^18\.3R3")
      fixes['18.3'] = '18.3R3';
    
    if (ver =~ "^18\.4R1")
      fixes['18.4'] = '18.4R1-S2';
    else
      fixes['18.4'] = '18.4R2';
    
    fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
    report = get_report(ver:ver, fix:fix);
    security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
    
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10953.NASL
    descriptionAccording to its self-reported version number, the remote Juniper Junos device is affected by a vulnerability in the SIP ALG packet processing service which allows an attacker to cause a Denial of Service (DoS) to the device. A remote, unauthenticated attacker can exploit this by sending specific types of valid SIP traffic to the device to cause the flowd process to crash and generate a core dump while processing SIP ALG traffic. Continued receipt of these SIP packets will cause the device to stop responding. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2019-11-05
    plugin id130505
    published2019-11-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130505
    titleJunos OS: SIP ALG flowd DoS (JSA10953)
    code
    #TRUSTED 988815214881526c560bfa2eb36ace332a18fdaed458cb4402a186a31bfcb46b5677538d5064d8cce91e20a7a808431490b09cefb6b0c3815bdfdf75d94aec02f5d238a950694f2764e37753608bff89ced4490c0782096d9cefda56da44fc19b04dc6e5fc01605ceec3a34579389496ad0199fb2f5a5a6501b544fb77b95dcba8b36371d80ed8dc63c57425e5eefaa02476beb8e073df56dc6a5a5d2997a74da0b662c9534f51754dff133c65538b9f9d93169cd80c9599a5a2fd938add7ce1454162d8f55910769f5566a8f7b09c64999511427adb88b47166083a88d190c0bbeedf4cfe31e28bdea28bb5600f853dc024f8efd17e4eab246be2405997803d540dc7ee50af1864883dad3cae5aa0e7c119ea5a6250c35ece0d5557369e3b4cb0a71489a6e08481f40bccafffbf4efe1ac24f31734d02000c8cc0862e1e8c0efecb1488570b00c2a4eefd5037a340b8153f2d190324e37de3a4ced240529e391a1137ec3cfb27334203776401150b8f8ddfd05d46953ba48ccb816371292c8c67c0830fda1f1cefa1f4245347d70bbf03bfc34d5eadf3f432bce423f4cd517a94a7f358f2392dd806e0e0213c016936707c9275b16a3e03bbbf8758cc57a4880d4a17ba515fae0051e151aee88d67e13c2dd7e80ffc7a109fd23b23f093fce3d1f1548d051e975b24a3ce06288dc2d8fa0b052ec64380d0bcc846c2fad6a2bd
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(130505);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2019/11/05");
    
      script_cve_id("CVE-2019-0055");
      script_xref(name:"JSA", value:"JSA10953");
      script_xref(name:"IAVA", value:"2019-A-0388");
    
      script_name(english:"Junos OS: SIP ALG flowd DoS (JSA10953)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the remote Juniper Junos device is affected by a vulnerability in the
    SIP ALG packet processing service which allows an attacker to cause a Denial of Service (DoS) to the device. A remote,
    unauthenticated attacker can exploit this by sending specific types of valid SIP traffic to the device to cause the
    flowd process to crash and generate a core dump while processing SIP ALG traffic. Continued receipt of these SIP
    packets will cause the device to stop responding.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10953");
      script_set_attribute(attribute:"solution", value:
    "Apply the relevant Junos software release referenced in Juniper advisory JSA10953.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0055");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/05");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Junos Local Security Checks");
    
      script_dependencies("junos_version.nasl");
      script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");
      exit(0);
    }
    
    include('audit.inc');
    include('junos.inc');
    include('junos_kb_cmd_func.inc');
    include('misc_func.inc');
    
    ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
    model = get_kb_item_or_exit('Host/Juniper/model');
    # SRX Series
    if ( 'SRX' >!< model)
      audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);
    
    fixes = make_array();
    
    # 12.3X48 versions prior to 12.3X48-D61, 12.3X48-D65 on SRX Series;
    # Making this paranoid
    if (report_paranoia >= 2)
      fixes['12.3X48'] = '12.3X48-D61';
    fixes['15.1X49'] = '15.1X49-D130';
    fixes['17.3'] = '17.3R3';
    fixes['17.4'] = '17.4R2';
    
    fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
    
    # If SIP ALG is not enabled, audit out.
    override = TRUE;
    buf = junos_command_kb_item(cmd:'show configuration | display set');
    if (buf)
    {
      override = FALSE;
      pattern = "^set security alg sip";
      if (!junos_check_config(buf:buf, pattern:pattern))
        audit(AUDIT_HOST_NOT, 'vulnerable as SIP ALG is not enabled');
    }
    
    junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);