Vulnerabilities > CVE-2019-0059 - Memory Leak vulnerability in Juniper Junos 18.1/18.1X75

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
juniper
CWE-401
nessus
NVD
Published: 2019-10-09
Updated: 2021-09-14

Summary

A memory leak vulnerability in the of Juniper Networks Junos OS allows an attacker to cause a Denial of Service (DoS) to the device by sending specific commands from a peered BGP host and having those BGP states delivered to the vulnerable device. This issue affects: Juniper Networks Junos OS: 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.1X75 all versions. Versions before 18.1R1 are not affected.

Vulnerable Configurations

Part Description Count
OS
Juniper
6

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10970.NASL
    descriptionThe version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the JSA10970 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id133303
    published2020-01-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133303
    titleJuniper JSA10970
    code
    #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133303);
  script_version("1.1");
  script_cvs_date("Date: 2020/01/29");

  script_cve_id(
    "CVE-2019-0047",
    "CVE-2019-0050",
    "CVE-2019-0054",
    "CVE-2019-0055",
    "CVE-2019-0057",
    "CVE-2019-0058",
    "CVE-2019-0059",
    "CVE-2019-0060",
    "CVE-2019-0062",
    "CVE-2019-0063",
    "CVE-2019-0064",
    "CVE-2019-0066",
    "CVE-2019-0067",
    "CVE-2019-0068",
    "CVE-2019-0073",
    "CVE-2019-0075"
  );
  script_xref(name:"IAVA", value:"2019-A-0388");

  script_name(english:"Juniper JSA10970");
  script_summary(english:"Checks the Junos version and build date.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of tested product installed on the remote host is prior to
tested version. It is, therefore, affected by a vulnerability as
referenced in the JSA10970 advisory. Note that Nessus has not tested
for this issue but has instead relied only on the application's self-
reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16613");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16765");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16446");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA10970");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper
advisory JSA10970");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0047");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/29");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");

  exit(0);
}

include('audit.inc');
include('junos.inc');
include('misc_func.inc');

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');
fixes = make_array();

fixes['12.1X46'] = '12.1X46-D86';
fixes['12.3'] = '12.3R12-S13';
fixes['12.3X48'] = '12.3X48-D80';
fixes['14.1X53'] = '14.1X53-D51';

if (ver =~ "^15\.1F")
fixes['15.1F'] = '15.1F6-S13';
else
  fixes['15.1'] = '15.1R7-S4';

fixes['15.1X49'] = '15.1X49-D171';
fixes['15.1X53'] = '15.1X53-D69';
fixes['16.1'] = '16.1R7-S5';
fixes['16.2'] = '16.2R2-S9';
fixes['17.1'] = '17.1R3';

if (ver =~ "^17\.2R1")
  fixes['17.2'] = '17.2R1-S8';
else if (ver =~ "^17\.2R2")
  fixes['17.2'] = '17.2R2-S7';
else if (ver =~ "^17\.2R3")
  fixes['17.2'] = '17.2R3-S1';

fixes['17.3'] = '17.3R3-S6';

if (ver =~ "^17\.4R1")
  fixes['17.4'] = '17.4R1-S7';
else if (ver =~ "^17\.4R2")
  fixes['17.4'] = '17.4R2-S4';
else
  fixes['17.4'] = '17.4R3';

fixes['18.1'] = '18.1R3-S5';

if (ver =~ "^18\.2R1")
  fixes['18.2'] = '18.2R1-S5';
else if (ver =~ "^18\.2R2")
  fixes['18.2'] = '18.2R2-S3';
else
  fixes['18.2'] = '18.2R3';

if (ver =~ "^18\.3R1")
  fixes['18.3'] = '18.3R1-S3';
else if (ver =~ "^18\.3R2")
  fixes['18.3'] = '18.3R2';
else if (ver =~ "^18\.3R3")
  fixes['18.3'] = '18.3R3';

if (ver =~ "^18\.4R1")
  fixes['18.4'] = '18.4R1-S2';
else
  fixes['18.4'] = '18.4R2';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
report = get_report(ver:ver, fix:fix);
security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10957.NASL
    descriptionAccording to its self-reported version number, the remote Juniper Junos device is affected by a memory leak vulnerability in the routing protocol process (rdp) which can result in a denial of service (DoS) condition. An unauthenticated, remote attacker can exploit this issue, by sending specific commands from a peered BGP host and having those BGP states delivered to the vulnerable device, to cause the system to stop responding. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2019-11-04
    plugin id130468
    published2019-11-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130468
    titleJunos OS: rdp Memory Leak DoS (JSA10957)
    code
    #TRUSTED a606425d2b090a6c388ce6b2da5e12e3cca87c2c79610dd67448586f005d21e80ed94a73b352891886c26abfa8a421f1433d6e6d4b01ea7d0acb6294ef601bd7813d5229fd7cf3f3de2a9697246458a2d062060eb95e959b80c03ec1d4a956e91f29e2c0802472177b7357b47aed7ae7d4bfb4b5176d3f19a6e5a36ce65327bc4c1aef60118ae2b5d9eaac22a71a1c84c0f1e8c2477c0f7964f7238c50afc89c1b5ff42474723051ae5761f44167c8ec91efe07286a6cc07d786d86eac707a76500b8329f08643ddb81f98d3cb1e9c65ce5d9ddade63fdf7295b1d8c56857a4dd6d3c1ccfab3da46acaa2ea4a69c9c076c744bf2688237ff6498654be4d88e77cbb446a23480ce9fb3d725b294046b405bc7efeb5c5a5a672474a158d393a5a9bc27fa8aaf9450691e9e55ed1999e7bf5fe737c184a2fc8c177bad33fd6578c3245bc369dd381d5ce049778e6a851e6f50ab24a872d26e2471486a9a559ee20dbf21f322d77c0da813cf53b5465fd8310bcfc6d898bb7d9a23ed601c387b1c377c8ec75ecf11c4668b952d44763bd0bc1676ee53c6363f8a83a77678def07520492ccd673584a7be3d34a276206097a3917c28246e98a8c3b12fb06b6e92a2090e3884799d8e177ce2410b91166fcb15913f56a7e068302058c489e334512b481e3669404a8e424377d171f492d77990c68cfa25371d016c9c295fa80f82d097
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(130468);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2019/11/04");

  script_cve_id("CVE-2019-0059");
  script_xref(name:"JSA", value:"JSA10957");
  script_xref(name:"IAVA", value:"2019-A-0388");

  script_name(english:"Junos OS: rdp Memory Leak DoS (JSA10957)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Juniper Junos device is affected by a memory leak
vulnerability in the routing protocol process (rdp) which can result in a denial of service (DoS) condition. An
unauthenticated, remote attacker can exploit this issue, by sending specific commands from a peered BGP host and having
those BGP states delivered to the vulnerable device, to cause the system to stop responding. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10957");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA10957.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0059");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/04");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Junos Local Security Checks");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version");
  exit(0);
}

include('audit.inc');
include('junos.inc');
include('junos_kb_cmd_func.inc');
include('misc_func.inc');

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');

fixes = make_array();
# Note that the advisory has contradictory information in the problem and solution sections. 
# This plugin follows the solution section.
fixes['18.1'] = '18.1R2-S4';
fixes['18.2'] = '18.2R1';
fixes['18.2X75'] = '18.2X75-D5';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

# If BGP is not enabled, audit out.
# Same as juniper_jsa10799.nasl
override = TRUE;
buf = junos_command_kb_item(cmd:'show bgp neighbor');
if (buf)
{
  override = FALSE;
  if (preg(string:buf, pattern:"BGP.* instance is not running", icase:TRUE, multiline:TRUE))
    audit(AUDIT_HOST_NOT, "affected because BGP is not enabled");
}

junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);

References