Juniper Junos Protocol Daemon (RPD) BGP OPEN Message Handling DoS (JSA10779)

2017-08-23T00:00:00
ID JUNIPER_JSA10779.NASL
Type nessus
Reporter Tenable
Modified 2017-08-23T00:00:00

Description

According to its self-reported version number and configuration, the remote Juniper Junos device is affected by a denial of service vulnerability in the routing protocol daemon (rpd) due to improper handling of BGP OPEN messages. An unauthenticated, remote attacker can exploit this, via a specially crafted BGP OPEN message, to repeatedly crash and restart the rpd daemon.

                                        
                                            #TRUSTED 8607bfdc154af91910feccab5dd98b5cb6a9bdee036fb4abd9b1624b8135381109f357883e62b46c5650aaa6086c28705905f71016eaa14896df59030058f60ffb80a2dd780d6d17282f71e6f730c8fd3a5809fbcf6a4bbd4c8e1f697681762fbd6df801be26d1fbb2b6b954690456b628da1f5fda458fb71ab0653b9062e323df57a5b95b5dea4537e7670ed3b345cb02efe3dd095c78b25ffd41ba9df74b51a9e85ab7c1d6407dc7aee87ca47516858ed683970b9188c8f611695eabe6bbc1b4a1cc51eed0522cbd8156f766aba084cdfea2b664e21703445635d585bdc2bd00dae34c501ad63824e4fdd32e358726d1f3887bf8cb690c3945e199364325fe8bc0cae6c308e13a703cf55fcbab310dbed61bf046e0f8846c9a69db9954a065e51c8ed53e53f1c5b678b9dc0cffe351171775c14e6de645805dbce14e3a6cf1c231bc182b370803ad9d57b2ba79ce6aea2c91efd503b00e2b840a2b376bc26740718481cfe9cf0dd58a57d6ad76456ca9ed1dfbf0a23dbd193044ce0946997316cff43eecc91895ae57ec6e2d25495fa0b6642f34c815d5f55c1c78ef079cc878d33bef71298fa350bed53108b1d0b5956edcf19c89bb189d6ac504f3d3ad1f4da5f05aa2412c90f43b83e66d767c74ca9839e59aec5632e2e62766771578b7ca38afbadf5fc173cbcfcbd700a3ee58b9cf418578302c9d30d4b4a8712027b3
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(102700);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2017/08/23");

  script_cve_id("CVE-2017-2314");
  script_osvdb_id(160898);
  script_xref(name:"JSA", value:"JSA10779");

  script_name(english:"Juniper Junos Protocol Daemon (RPD) BGP OPEN Message Handling DoS (JSA10779)");
  script_summary(english:"Checks the Junos version and configuration.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number and configuration, the
remote Juniper Junos device is affected by a denial of service
vulnerability in the routing protocol daemon (rpd) due to improper
handling of BGP OPEN messages. An unauthenticated, remote attacker can
exploit this, via a specially crafted BGP OPEN message, to repeatedly
crash and restart the rpd daemon.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10779");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant Junos software release referenced in Juniper
security advisory JSA10779.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/23");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017 Tenable Network Security, Inc.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("junos_kb_cmd_func.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
# Commands ran may not be available on all models
if (report_paranoia < 2) audit(AUDIT_PARANOID);

fixes = make_array();
fixes['12.3X48'] = '12.3X48-D50';

if (ver =~ "^12\.3R12")       fixes['12.3R'] = '12.3R12-S4';
else if (ver =~ "^12\.3R3")   fixes['12.3R'] = '12.3R3-S4';
else                          fixes['12.3R'] = '12.3R13';
if (ver =~ "^13\.3R4")        fixes['13.3R'] = '13.3R4-S11';
else                          fixes['13.3R'] = '13.3R10';
if (ver =~ "^14\.1R8")        fixes['14.1R'] = '14.1R8-S3';
else                          fixes['14.1R'] = '14.1R9';
fixes['14.1X53'] = '14.1X53-D40';
fixes['14.1X55'] = '14.1X55-D35';
if (ver =~ "^14\.2R4")        fixes['14.2R'] = '14.2R4-S7';
else if (ver =~ "^14\.2R6")   fixes['14.2R'] = '14.2R6-S4';
else                          fixes['14.2R'] = '14.2R7';
if ( ver =~ "^15\.1F2")       fixes['15.1F'] = '15.1F2-S11';
else if ( ver =~ "^15\.1F4")  fixes['15.1F'] = '15.1F4-S1-J1';
else if ( ver =~ "^15\.1F5")  fixes['15.1F'] = '15.1F5-S3';
else                          fixes['15.1F'] = '15.1F6';
fixes['15.1X49'] = '15.1X49-D100';
fixes['15.1X53'] = '15.1X53-D33'; # or 15.1X53-D50
fixes['15.1'] = '15.1R4';
fixes['16.1'] = '16.1R1';
fixes['16.2'] = '16.2R1';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

override = TRUE;
buf = junos_command_kb_item(cmd:"show bgp neighbor");
if (buf)
{
  if (preg(string:buf, pattern:"BGP.* instance is not running", icase:TRUE, multiline:TRUE))
    audit(AUDIT_HOST_NOT, "affected because BGP is not enabled"); 
  else
    override = FALSE;
}

junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_HOLE);