Junos SRX RTSP DoS Vulnerability

2016-01-18T00:00:00
ID OPENVAS:1361412562310106062
Type openvas
Reporter This script is Copyright (C) 2016 Greenbone Networks GmbH
Modified 2018-10-25T00:00:00

Description

Junos OS on SRX Series is prone to a Denial of Service vulnerability in flowd.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_junos_cve-2016-1262.nasl 12096 2018-10-25 12:26:02Z asteins $
#
# Junos SRX RTSP DoS Vulnerability
#
# Authors:
# Christian Kuersteiner <christian.kuersteiner@greenbone.net>
#
# Copyright:
# Copyright (c) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = 'cpe:/o:juniper:junos';

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.106062");
  script_version("$Revision: 12096 $");
  script_tag(name:"last_modification", value:"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $");
  script_tag(name:"creation_date", value:"2016-01-18 09:17:30 +0700 (Mon, 18 Jan 2016)");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:N/A:P");

  script_tag(name:"qod_type", value:"package");

  script_tag(name:"solution_type", value:"VendorFix");

  script_cve_id("CVE-2016-1262");

  script_name("Junos SRX RTSP DoS Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_family("JunOS Local Security Checks");
  script_copyright("This script is Copyright (C) 2016 Greenbone Networks GmbH");
  script_dependencies("gb_ssh_junos_get_version.nasl", "gb_junos_snmp_version.nasl");
  script_mandatory_keys("Junos/Version", "Junos/model");

  script_tag(name:"summary", value:"Junos OS on SRX Series is prone to a Denial of Service vulnerability
in flowd.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable OS build is present on the target host.");

  script_tag(name:"insight", value:"On all SRX-Series devices, when the RTSP ALG is enabled, a certain
crafted RTSP packet might cause the flowd process to crash, halting or interrupting traffic from flowing
through the device. RTSP ALG is enabled by default on branch SRX platforms and disabled by default on
high-end SRX platforms.");

  script_tag(name:"impact", value:"A network based attacker can cause a denial of service condition.");

  script_tag(name:"affected", value:"Junos OS 12.1, 12.3 and 15.1");

  script_tag(name:"solution", value:"New builds of Junos OS software are available from Juniper. As
a workaround disable RTSP ALG services.");

  script_xref(name:"URL", value:"http://kb.juniper.net/JSA10721");

  exit(0);
}

include("host_details.inc");
include("revisions-lib.inc");

model =  get_kb_item("Junos/model");
if (!model || toupper(model) !~ '^SRX')
  exit(99);

if (!version = get_app_version(cpe: CPE, nofork: TRUE))
  exit(0);

if ((revcomp(a: version, b: "12.1X46-D45") < 0) &&
    (revcomp(a: version, b: "12.1X46") >= 0)) {
    security_message(port: 0, data: version);
    exit(0);
}
else if ((revcomp(a: version, b: "12.1X47-D30") < 0) &&
         (revcomp(a: version, b: "12.1X47") >= 0)) {
  security_message(port: 0, data: version);
  exit(0);
}
else if ((revcomp(a: version, b: "12.3X48-D20") < 0) &&
         (revcomp(a: version, b: "12.3") >= 0)) {
  security_message(port: 0, data: version);
  exit(0);
}
else if ((revcomp(a: version, b: "15.1X49-D30") < 0) &&
         (revcomp(a: version, b: "15.1X49") >= 0)) {
  security_message(port: 0, data: version);
  exit(0);
}

exit(99);