Vulnerabilities > CVE-2019-0068 - Improper Check for Unusual or Exceptional Conditions vulnerability in Juniper Junos

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
juniper
CWE-754
nessus

Summary

The SRX flowd process, responsible for packet forwarding, may crash and restart when processing specific multicast packets. By continuously sending the specific multicast packets, an attacker can repeatedly crash the flowd process causing a sustained Denial of Service. This issue affects Juniper Networks Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D90; 15.1X49 versions prior to 15.1X49-D180; 17.3 versions; 17.4 versions prior to 17.4R2-S5, 17.4R3; 18.1 versions prior to 18.1R3-S6; 18.2 versions prior to 18.2R2-S4, 18.2R3; 18.3 versions prior to 18.3R2-S1, 18.3R3; 18.4 versions prior to 18.4R2; 19.1 versions prior to 19.1R1-S1, 19.1R2.

Nessus

  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10970.NASL
    descriptionThe version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the JSA10970 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id133303
    published2020-01-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133303
    titleJuniper JSA10970
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(133303);
      script_version("1.1");
      script_cvs_date("Date: 2020/01/29");
    
      script_cve_id(
        "CVE-2019-0047",
        "CVE-2019-0050",
        "CVE-2019-0054",
        "CVE-2019-0055",
        "CVE-2019-0057",
        "CVE-2019-0058",
        "CVE-2019-0059",
        "CVE-2019-0060",
        "CVE-2019-0062",
        "CVE-2019-0063",
        "CVE-2019-0064",
        "CVE-2019-0066",
        "CVE-2019-0067",
        "CVE-2019-0068",
        "CVE-2019-0073",
        "CVE-2019-0075"
      );
      script_xref(name:"IAVA", value:"2019-A-0388");
    
      script_name(english:"Juniper JSA10970");
      script_summary(english:"Checks the Junos version and build date.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "The version of tested product installed on the remote host is prior to
    tested version. It is, therefore, affected by a vulnerability as
    referenced in the JSA10970 advisory. Note that Nessus has not tested
    for this issue but has instead relied only on the application's self-
    reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16613");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16765");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16446");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA10970");
      script_set_attribute(attribute:"solution", value:
    "Apply the relevant Junos software release referenced in Juniper
    advisory JSA10970");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0047");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/01/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/29");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Junos Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("junos_version.nasl");
      script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");
    
      exit(0);
    }
    
    include('audit.inc');
    include('junos.inc');
    include('misc_func.inc');
    
    ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
    model = get_kb_item_or_exit('Host/Juniper/model');
    fixes = make_array();
    
    fixes['12.1X46'] = '12.1X46-D86';
    fixes['12.3'] = '12.3R12-S13';
    fixes['12.3X48'] = '12.3X48-D80';
    fixes['14.1X53'] = '14.1X53-D51';
    
    if (ver =~ "^15\.1F")
    fixes['15.1F'] = '15.1F6-S13';
    else
      fixes['15.1'] = '15.1R7-S4';
    
    fixes['15.1X49'] = '15.1X49-D171';
    fixes['15.1X53'] = '15.1X53-D69';
    fixes['16.1'] = '16.1R7-S5';
    fixes['16.2'] = '16.2R2-S9';
    fixes['17.1'] = '17.1R3';
    
    if (ver =~ "^17\.2R1")
      fixes['17.2'] = '17.2R1-S8';
    else if (ver =~ "^17\.2R2")
      fixes['17.2'] = '17.2R2-S7';
    else if (ver =~ "^17\.2R3")
      fixes['17.2'] = '17.2R3-S1';
    
    fixes['17.3'] = '17.3R3-S6';
    
    if (ver =~ "^17\.4R1")
      fixes['17.4'] = '17.4R1-S7';
    else if (ver =~ "^17\.4R2")
      fixes['17.4'] = '17.4R2-S4';
    else
      fixes['17.4'] = '17.4R3';
    
    fixes['18.1'] = '18.1R3-S5';
    
    if (ver =~ "^18\.2R1")
      fixes['18.2'] = '18.2R1-S5';
    else if (ver =~ "^18\.2R2")
      fixes['18.2'] = '18.2R2-S3';
    else
      fixes['18.2'] = '18.2R3';
    
    if (ver =~ "^18\.3R1")
      fixes['18.3'] = '18.3R1-S3';
    else if (ver =~ "^18\.3R2")
      fixes['18.3'] = '18.3R2';
    else if (ver =~ "^18\.3R3")
      fixes['18.3'] = '18.3R3';
    
    if (ver =~ "^18\.4R1")
      fixes['18.4'] = '18.4R1-S2';
    else
      fixes['18.4'] = '18.4R2';
    
    fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
    report = get_report(ver:ver, fix:fix);
    security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
    
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10968.NASL
    descriptionAccording to its self-reported version number, the remote Juniper Junos device is affected by a vulnerability in the flowd process. An unauthenticated, remote attacker can exploit this issue, by repeatedly sending specific multicast packets to an affected device, to cause the device to stop responding. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id130518
    published2019-11-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130518
    titleJunos OS: Multicast flowd DoS (JSA10968)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(130518);
      script_version("1.1");
      script_cvs_date("Date: 2019/11/06");
    
      script_cve_id("CVE-2019-0068");
      script_xref(name:"JSA", value:"JSA10968");
      script_xref(name:"IAVA", value:"2019-A-0388");
    
      script_name(english:"Junos OS: Multicast flowd DoS (JSA10968)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is missing a vendor-supplied security patch.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the remote Juniper Junos device is affected by a vulnerability in the
    flowd process. An unauthenticated, remote attacker can exploit this issue, by repeatedly sending specific multicast
    packets to an affected device, to cause the device to stop responding.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10968");
      script_set_attribute(attribute:"solution", value:
    "Apply the relevant Junos software release referenced in Juniper advisory JSA10968.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0068");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/06");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Junos Local Security Checks");
    
      script_dependencies("junos_version.nasl");
      script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");
      exit(0);
    }
    
    include('audit.inc');
    include('junos.inc');
    include('misc_func.inc');
    
    ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
    model = get_kb_item_or_exit('Host/Juniper/model');
    # Only SRX Series platforms are affected
    if ( 'SRX' >!< model)
      audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);
    
    # All 17.3 versions are vulnerable;
    # Passing 17.4R2-S5 as fix fails to flag 17.3RX versions as _junos_base_ver_compare()
    # won't compare different major versions.
    if (ver =~ "^17.3($|[^0-9])")
      vuln_major_version = TRUE;
    
    fixes = make_array();
    
    fixes['12.3X48'] = '12.3X48-D90';
    fixes['15.1X49'] = '15.1X49-D180';
    fixes['17.4'] = '17.4R2-S5';
    fixes['18.1'] = '18.1R3-S6';
    fixes['18.2'] = '18.2R2-S4';
    fixes['18.3'] = '18.3R2-S1';
    fixes['18.4'] = '18.4R2';
    fixes['19.1'] = '19.1R1-S1';
    
    if (vuln_major_version)
      fix = 'Upgrade to 17.4R2-S5 or later.';
    else
      fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
    
    report = get_report(model:model, ver:ver, fix:fix);
    security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);