Junos OS: processing of specific transit IP packets in flowd, leading to Denial of Service (JSA10959)

2019-12-16T00:00:00
ID JUNIPER_JSA10959.NASL
Type nessus
Reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2019-12-16T00:00:00

Description

The version of Junos OS installed on the remote host is prior to 15.1X49-D171 or 18.4R2. It is, therefore, affected by a vulnerability as referenced in the JSA10959 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

                                        
                                            #TRUSTED 3f86cd5dae828ca8e6e84fefc96b0699918958c4d7c4534940abe14a78b5b0e384b38d48225a9a9f904b7ff5b9efc20aa83f3bef6ef38db39221a0dad2bc526cc33cd5672eb82628ea02a17d0871ceb7a411ee8872b24c3236c8a1d0ae0d0685b7bbd1b3edfa908fc578cf45f50317be0f291838f91195b96b9b1e8766c895a0f8b7d44c4f70e117d8a3ef0ef5e194fb4606ee81c7ab3656045afebad6098ae5a359cca2ff765e1b185b5397a789fe2726f6c2a61f9780d5dc0eeecdb9b6684428de5cdf4bde7b2ac1e0c3f683be0972ec35590aea71fcf1991c1355efc70bcc9c3cfb9cd905bffe3a7390b4d7d1d617d018b97bf7cfe4a91ecef6af4d4a8ce56f1898569c93c0199b9dbc7caac7c976746755109835d69dbbff52ebe204747495e7f2c92dcca8ac61d2b9dbcc8024b2d1f9094fa34150647e6fc9ecc158a93b4b959143e7b2ece5719fbd80e5759fea4ce357ae51f3f0cf4fdda61576e039e181bbc1b8630d902bda88b0794d4ad728606271af2853d841808ee3b704c884d90cb228eb2921be74f853d217c951bca495f6b554f36e4a1aeb3636e98d9a5c4eace757180b4b12ed179be50c7ccec3baae2feb0e81243edfaa99ad9557010eb2779ff8afb7aafd6182ad4bdf144373455f0ca352c05548993c637747da6aca265633cdff7123483fd0c88a6289c89cbdafb1b829a6f14a4136ddeebfb982d4ca
# 
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(132075);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/09/25");

  script_cve_id("CVE-2019-0060");
  script_xref(name:"JSA", value:"JSA10959");
  script_xref(name:"IAVA", value:"2019-A-0388");

  script_name(english:"Junos OS: processing of specific transit IP packets in flowd, leading to Denial of Service (JSA10959)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is prior to 15.1X49-D171 or 18.4R2. It is, therefore, affected by a
vulnerability as referenced in the JSA10959 advisory. Note that Nessus has not tested for this issue but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA10959");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA10959");
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/10/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/16");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");
  
  exit(0);
}

include("audit.inc");
include("junos.inc");
include("misc_func.inc");
include("junos_kb_cmd_func.inc");

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');
fixes = make_array();

if ( 'SRX' >!< model)
  audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);

tun = junos_command_kb_item(cmd:'show security ipsec sa');
found_tunnels = pregmatch(pattern: "Total active tunnels: ([1-9]+)", string: tun);
if (empty_or_null(found_tunnels))
   audit(AUDIT_OS_CONF_NOT_VULN, 'Junos' + ver);

fixes["15.1X49"] = "15.1X49-D171";
fixes["18.2"] = "18.2R2-S1";
fixes["18.4"] = "18.4R2";

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

report = get_report(ver:ver, fix:fix);
security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);