Vulnerabilities > CVE-2019-0056 - Unspecified vulnerability in Juniper Junos

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
juniper
nessus
NVD
Published: 2019-10-09
Updated: 2021-10-28

Summary

This issue only affects devices with three (3) or more MPC10's installed in a single chassis with OSPF enabled and configured on the device. An Insufficient Resource Pool weakness allows an attacker to cause the device's Open Shortest Path First (OSPF) states to transition to Down, resulting in a Denial of Service (DoS) attack. This attack requires a relatively large number of specific Internet Mixed (IMIXed) types of genuine and valid IPv6 packets to be transferred by the attacker in a relatively short period of time, across three or more PFE's on the device at the same time. Continued receipt of the traffic sent by the attacker will continue to cause OSPF to remain in the Down starting state, or flap between other states and then again to Down, causing a persistent Denial of Service. This attack will affect all IPv4, and IPv6 traffic served by the OSPF routes once the OSPF states transition to Down. This issue affects: Juniper Networks Junos OS on MX480, MX960, MX2008, MX2010, MX2020: 18.1 versions prior to 18.1R2-S4, 18.1R3-S5; 18.1X75 version 18.1X75-D10 and later versions; 18.2 versions prior to 18.2R1-S5, 18.2R2-S3, 18.2R3; 18.2X75 versions prior to 18.2X75-D50; 18.3 versions prior to 18.3R1-S4, 18.3R2, 18.3R3; 18.4 versions prior to 18.4R1-S2, 18.4R2.

Vulnerable Configurations

Part Description Count
OS
Juniper
22
Hardware
Juniper
5

Nessus

NASL familyJunos Local Security Checks
NASL idJUNIPER_JSA10954.NASL
descriptionAccording to the self reported version of Junos OS on the remote device it is affected by a Denial of Service (DoS) vulnerability. A remote unauthenticated attacker can exploit this, to cause the device
last seen2020-06-01
modified2020-06-02
plugin id132959
published2020-01-16
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/132959
titleMultiple Vulnerabilities in Juniper Junos (JSA10954)
code
#TRUSTED 570992f2acd038f11bfb2c9946c50cfcd89529f6fa9a2abef3b7449ad1386f1b4c37adce0cb86891c19b5d88cd650028d31680d769426a6479c987782141135234142bfab490bf14462510988591df3dfd96daf51ece66b2ec1d6c1cf9b19bb01f9e343b01d8f9f8b3c0d299b411e4cf0fa9b30496fa44577f503916986f52648c993c74424ef504184f00a1784256130316125ef0b43941acd016dc60c6d6a2a00c2b01300819b6ff62f7c23d97aa3f5fc3d3619ec5f10f22692a2da3556ee18a045622b4ce971ec51b2f27a659b1db29735732aff492d9637c2effd6f56df11efd0e9d9144532987fe48826d6ae3f1f49c31e447ac5760c5890c53825dc0fae67b9baaf9a7ed870c8543cdf78285ccc760f37001fc63879ef1b7cd8bd01462d15885da91b4ea0c033a85cebb3193e76ae8c9277ac930171db0376f1988e2069dc2718aa9dc1db72b2e1bd6baf8889389048154d47d4b7035de5edf703339d2b222f3225a8278bbdefdc0d524135fb439561078520dd0710541c451f9f50f673b56575fb466179297af14a3678017da9f9e8f042eb72c08f5c3d72e7d445db54e9d4a493b34298970bdc171d0bf29f2b93df84b0c7e5a77fca49976c53926acdf1bc6aa17ccf4c62c77a5fd584e07e3c5f96fbd2e5b5f3897d6dc2949ec2b2e5a5a7b66cb04d8028a06d8ea381719b84f487d74ab205e018906383912bebf9a
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(132959);
  script_version("1.3");
  script_cvs_date("Date: 2020/01/16");

  script_cve_id("CVE-2019-0056");
  script_xref(name:"JSA", value:"JSA10954");
  script_xref(name:"IAVA", value:"2019-A-0436");

  script_name(english:"Multiple Vulnerabilities in Juniper Junos (JSA10954)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to the self reported version of Junos OS on the remote device it is affected by a Denial of Service (DoS)
vulnerability. A remote unauthenticated attacker can  exploit this, to cause the device's Open Shortest Path First 
(OSPF) states to transition to Down, resulting in a Denial of Service (DoS) attack.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA10954");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA10954");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0074");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/16");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");

  exit(0);
}

include('audit.inc');
include('junos.inc');
include('junos_kb_cmd_func.inc');
include('misc_func.inc');

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');
fixes = make_array();

if (
  model != "MX2008" &&
  model != "MX2010" &&
  model != "MX2020" &&
  model != "MX480" &&
  model != "MX960"
) audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);
fixes['18.1']    = '18.1R2-S4';
fixes['18.1X75'] = '18.1X75-D10';
fixes['18.2']    = '18.2R1-S5';
fixes['18.2X75'] = '18.2X75-D50';
fixes['18.3']    = '18.3R1-S4';
fixes['18.4']    = '18.4R1-S2';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

# Check for NG-RE, if not output not vuln
buf = junos_command_kb_item(cmd:'show chassis fpc pic-status');
if (junos_check_result(buf) && buf =~ "Slot 3")
{
  report = get_report(ver:ver, fix:fix);
  security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
}
else audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);

References