Vulnerabilities > CVE-2019-0067 - Unspecified vulnerability in Juniper Junos 16.1/16.2/17.1

047910
CVSS 6.5 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
low complexity
juniper
nessus
NVD
Published: 2019-10-09
Updated: 2021-07-21

Summary

Receipt of a specific link-local IPv6 packet destined to the RE may cause the system to crash and restart (vmcore). By continuously sending a specially crafted IPv6 packet, an attacker can repeatedly crash the system causing a prolonged Denial of Service (DoS). This issue affects Juniper Networks Junos OS: 16.1 versions prior to 16.1R6-S2, 16.1R7; 16.2 versions prior to 16.2R2-S10; 17.1 versions prior to 17.1R3. This issue does not affect Juniper Networks Junos OS version 15.1 and prior versions.

Vulnerable Configurations

Part Description Count
OS
Juniper
29

Nessus

  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10970.NASL
    descriptionThe version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the JSA10970 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id133303
    published2020-01-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133303
    titleJuniper JSA10970
    code
    #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133303);
  script_version("1.1");
  script_cvs_date("Date: 2020/01/29");

  script_cve_id(
    "CVE-2019-0047",
    "CVE-2019-0050",
    "CVE-2019-0054",
    "CVE-2019-0055",
    "CVE-2019-0057",
    "CVE-2019-0058",
    "CVE-2019-0059",
    "CVE-2019-0060",
    "CVE-2019-0062",
    "CVE-2019-0063",
    "CVE-2019-0064",
    "CVE-2019-0066",
    "CVE-2019-0067",
    "CVE-2019-0068",
    "CVE-2019-0073",
    "CVE-2019-0075"
  );
  script_xref(name:"IAVA", value:"2019-A-0388");

  script_name(english:"Juniper JSA10970");
  script_summary(english:"Checks the Junos version and build date.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of tested product installed on the remote host is prior to
tested version. It is, therefore, affected by a vulnerability as
referenced in the JSA10970 advisory. Note that Nessus has not tested
for this issue but has instead relied only on the application's self-
reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16613");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16765");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16446");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA10970");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper
advisory JSA10970");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0047");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/29");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");

  exit(0);
}

include('audit.inc');
include('junos.inc');
include('misc_func.inc');

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');
fixes = make_array();

fixes['12.1X46'] = '12.1X46-D86';
fixes['12.3'] = '12.3R12-S13';
fixes['12.3X48'] = '12.3X48-D80';
fixes['14.1X53'] = '14.1X53-D51';

if (ver =~ "^15\.1F")
fixes['15.1F'] = '15.1F6-S13';
else
  fixes['15.1'] = '15.1R7-S4';

fixes['15.1X49'] = '15.1X49-D171';
fixes['15.1X53'] = '15.1X53-D69';
fixes['16.1'] = '16.1R7-S5';
fixes['16.2'] = '16.2R2-S9';
fixes['17.1'] = '17.1R3';

if (ver =~ "^17\.2R1")
  fixes['17.2'] = '17.2R1-S8';
else if (ver =~ "^17\.2R2")
  fixes['17.2'] = '17.2R2-S7';
else if (ver =~ "^17\.2R3")
  fixes['17.2'] = '17.2R3-S1';

fixes['17.3'] = '17.3R3-S6';

if (ver =~ "^17\.4R1")
  fixes['17.4'] = '17.4R1-S7';
else if (ver =~ "^17\.4R2")
  fixes['17.4'] = '17.4R2-S4';
else
  fixes['17.4'] = '17.4R3';

fixes['18.1'] = '18.1R3-S5';

if (ver =~ "^18\.2R1")
  fixes['18.2'] = '18.2R1-S5';
else if (ver =~ "^18\.2R2")
  fixes['18.2'] = '18.2R2-S3';
else
  fixes['18.2'] = '18.2R3';

if (ver =~ "^18\.3R1")
  fixes['18.3'] = '18.3R1-S3';
else if (ver =~ "^18\.3R2")
  fixes['18.3'] = '18.3R2';
else if (ver =~ "^18\.3R3")
  fixes['18.3'] = '18.3R3';

if (ver =~ "^18\.4R1")
  fixes['18.4'] = '18.4R1-S2';
else
  fixes['18.4'] = '18.4R2';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
report = get_report(ver:ver, fix:fix);
security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10966.NASL
    descriptionAccording to its self-reported version number, the remote Juniper Junos device is affected by a denial of service (DoS) vulnerability on devices configured with Multi-Chassis Link Aggregation Group (MC-LAG). An unauthenticated, adjacent attacker can exploit this by continuously sending a specially crafted IPv6 packet to repeatedly crash the system and cause the device to stop responding. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2019-11-06
    plugin id130515
    published2019-11-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130515
    titleJunos OS: MC-LAG DoS (JSA10966)
    code
    #TRUSTED 3548aec607dbedd7d670fa13fe836c5277fbd8f2c892c867e0134c02f5ea90be26123075a33b975a9ed5919ca06e9b8a20ff181024f2c883c471b216d67c748f43f0c6b75e4d6fcb5535a69d76576671d80f18c15cf6d306457b5cbee0f66de5b6a19455adea1ac64195a317133a1c3d3d0e5d000e6db25cde7d93749e238dbafc21b81bf937cec76ff51cd2e9a7612565d4ea358a526c6c1d13d47063f0a7f535a3f112e049a8410777ab2a5ffe462d9a3816b8db4d76155e34cd90db0475dc10add1c4688fa059d476e8e5f5f2b595e1f5d8feca89e3208775a986e95a4ba901e6f1f7ccf76fa3e8f1f95c87e8ae5d7fd6661f4e8120e310eeefd79320ab4f08fd435d8198297ecb789db261d1f92c45d6bf2e636ae69136b8ddda1161e6e1e37bb57a756f8293c16f050a4563a5c0d3fdffc672202869e67e5e1b61d21ccd20435ff740ed27326253ac4a3d5ef138eaeedd313d4043e74e31be912bb9f82a8f03795da2aeef203863993ed1091e4076eded99fc863cef5fa928f966f1356e3bdee5c982c11a609469c7aee33d779c1271cd9ad9f3e5184d17551764703e5cadaaff6bc8462393d6b7aa10e6386ee9e6ebaba12b5d7fef7623b5f32ff73eb84609805c930c6db1cfbcbb838058301c7b8cffa8d9d940a1db75de7265763489c6020b6df1adfcd651a1523de81f90199bfc84c0ccd5c9952b9c1c3e5719746c
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(130515);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2019/11/06");

  script_cve_id("CVE-2019-0067");
  script_xref(name:"JSA", value:"JSA10966");
  script_xref(name:"IAVA", value:"2019-A-0388");

  script_name(english:"Junos OS: MC-LAG DoS (JSA10966)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Juniper Junos device is affected by a denial of service (DoS)
vulnerability on devices configured with Multi-Chassis Link Aggregation Group (MC-LAG). An unauthenticated, adjacent
attacker can exploit this by continuously sending a specially crafted IPv6 packet to repeatedly crash the system and
cause the device to stop responding.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10966");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA10966.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0067");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/06");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Junos Local Security Checks");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version");
  exit(0);
}

include('audit.inc');
include('junos.inc');
include('junos_kb_cmd_func.inc');
include('misc_func.inc');

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');

fixes = make_array();
fixes['16.1R'] = '16.1R6-S2';
fixes['16.2R'] = '16.2R2-S10';
fixes['17.1R'] = '17.1R3';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

# If MC-LAG is not enabled, audit out.
# https://www.juniper.net/documentation/en_US/junos/topics/topic-map/mc-lag-redundancy-and-multihoming.html
override = TRUE;
buf = junos_command_kb_item(cmd:'show configuration | display set');
if (buf)
{
  override = FALSE;
  pattern = "^set ae.* aggregated-ether-options mc-ae mc-ae-id";
  if (!junos_check_config(buf:buf, pattern:pattern))
    audit(AUDIT_HOST_NOT, 'vulnerable as MC-LAG is not enabled');
}

junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);

References