Juniper Junos jdhcpd IPv6 UDP DoS (JSA10800)

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(102075);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/22");

  script_cve_id("CVE-2017-2348");
  script_xref(name:"JSA", value:"JSA10800");

  script_name(english:"Juniper Junos jdhcpd IPv6 UDP DoS (JSA10800)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version and model number, the remote
Juniper Junos device is affected by a denial of service vulnerability
in the jdhcpd daemon when handling invalid IPv6 UDP packets. An
unauthenticated, remote attacker can exploit this, via specially
crafted IPv6 UDP packets, to consume available CPU resources,
resulting in an interruption of the DHCP service.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10800");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant Junos software release referenced in Juniper
security advisory JSA10800.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2348");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/07/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/31");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2026 Tenable Network Security, Inc.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model", "Settings/ParanoidReport");

  exit(0);
}

include("junos.inc");

var ver   = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
var model = get_kb_item_or_exit('Host/Juniper/model');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

var vuln_ranges;

if (model =~ '^QFabric')
  vuln_ranges = [{'min_ver':'14.1X53', 'fixed_ver':'14.1X53-D12', 'model':'^QFabric'}];
else if (model =~ '^SRX')
  vuln_ranges = [{'min_ver':'15.1X49', 'fixed_ver':'15.1X49-D80', 'model':'^SRX'}];
else if (model =~ '^NFX')
  vuln_ranges = [{'min_ver':'15.1X53', 'fixed_ver':'15.1X53-D51', 'model':'^NFX'}];
else if (model =~ '^(QF|E)X')
  vuln_ranges = [
    {'min_ver':'14.1X53', 'fixed_ver':'14.1X53-D12', 'model':'^(QF|E)X'},
    {'min_ver':'15.1X53', 'fixed_ver':'15.1X53-D51', 'model':'^(QF|E)X'}
  ];
else
  vuln_ranges = [
    {'min_ver':'15.1', 'fixed_ver':'15.1R4'},
    {'min_ver':'15.1F2', 'fixed_ver':'15.1F2-S18'}
];

var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix))
  audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);
var report = get_report(model:model, ver:ver, fix:fix);
security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);