Juniper Junos OS MX Series DoS (JSA11077)

2020-10-30T00:00:00
ID JUNIPER_JSA11077.NASL
Type nessus
Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-10-30T00:00:00

Description

According to the self reported version of Junos OS on the remote device it is affected by a denial of service (DoS) vulnerability. An unauthenticated attacker can continuously send crafted IPv6 packets through the device causing repetitive MS-PIC process crashes, resulting in an extended Denial of Service condition.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

                                        
                                            #TRUSTED 6c7d80dd01dc01998b241c797a712150d29f933b2153051758c85638f300a680caaf7b3676118ba46c73bb8e740ac3763b2950a480e25f15636bc20162354ca8cffb26eaa28b6ac630069df89eb9c6cc1fd76c7287bb808207bb454d93d4737118bf1ec82991298a63e3ee911608f9f38a03c617796e99dd4684c2fec688b3b72a1e437ab1e9f10b9ab6de98b1538ebc3ec05062f433ef1f5e197bb3cfd8a7cbbcf3c979de895782aa3eb78399c1df853a49c39012a6a7aad8ac411e845bc6c674b077be5379a2269ef5c057466d0d7ebb934b65d3b053e27208109ccc3441a5767fc271d3b84f5d2ab4a97d879b0431edaf0d168d54187b600bb0ebcba8363979e27db256cda255d5eaf37c9505ba14e74f89c613f6dc0cffc5956d5360ddbcd51d628f87e3e15df7acdd42cddcb217e6d8520776d25586a3bdd8fb43187521de26bf00ad9cb2a42b352139321251e0aa5ae648ed5544b4362eb652f0879dbf6e05ea18cd9f424d4f94f1e723301b06e5c615dbb94cff96572344881539271e208f390ab11ed81e89f6e99cbe69396bc2798a1891690825f06cc051caa5c96bcb25124e614cb272e325dfab26e671c4bd9968a250abd7816eda907b867160256497233113686e141b9df8a54733eb36be7d2bdfd76580b51917aeaf8ea69a6951088021c023c2cd0049ed5d815be4298fbdc81f81409b98c7b81a3dd36b4be7
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(142145);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/11/02");

  script_cve_id("CVE-2020-1680");
  script_xref(name:"JSA", value:"JSA11077");
  script_xref(name:"IAVA", value:"2020-A-0494");

  script_name(english:"Juniper Junos OS MX Series DoS (JSA11077)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to the self reported version of Junos OS on the remote device it is affected by a denial of service (DoS)
vulnerability. An unauthenticated attacker can continuously send crafted IPv6 packets through the device causing 
repetitive MS-PIC process crashes, resulting in an extended Denial of Service condition.

Note that Nessus has not tested for this issue but has instead relied only on the application's 
self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA11077");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA11077");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1680");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/10/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/10/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/10/30");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");

  exit(0);
}

include('junos.inc');
include('junos_kb_cmd_func.inc');

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');
fixes = make_array();

if (model =~ "^MX")
{
  fixes['15.1R'] = '15.1R7-S7';
  fixes['15.1X53'] = '15.1X53-D593';
  fixes['16.1'] = '16.1R7-S8';
  fixes['17.2'] = '17.2R3-S4';
  fixes['17.3'] = '17.3R3-S6';
  fixes['17.4'] = '17.4R2-S11';
  fixes['18.1'] = '18.1R3-S11';
  fixes['18.2'] = '18.2R3-S6';
  fixes['18.2X75'] = '18.2X75-D41';
  fixes['18.3'] = '18.3R2-S4';
  fixes['18.4'] = '18.4R2-S5';
  fixes['19.1'] = '19.1R2';
  fixes['19.2'] = '19.2R1-S5';
  fixes['19.3'] = '19.3R2';
}

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
report = get_report(ver:ver, fix:fix);

# If forwarding-options dhcp-relay, audit out.
override = TRUE;
buf = junos_command_kb_item(cmd:'show configuration | display set');
if (buf)
{
  override = FALSE;
  pattern = "rule.*stateful-nat64";
  if (!junos_check_config(buf:buf, pattern:pattern))
    audit(AUDIT_HOST_NOT, 'vulnerable');
}
security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);