Juniper Networks Junos OS RPD BGP Update DoS Vulnerability

# SPDX-FileCopyrightText: 2016 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/o:juniper:junos";

if (description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.106067");
  script_version("2023-07-21T05:05:22+0000");
  script_tag(name:"last_modification", value:"2023-07-21 05:05:22 +0000 (Fri, 21 Jul 2023)");
  script_tag(name:"creation_date", value:"2016-05-04 23:16:03 +0200 (Wed, 04 May 2016)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_tag(name:"severity_vector", value:"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2016-04-20 19:19:00 +0000 (Wed, 20 Apr 2016)");

  script_tag(name:"qod_type", value:"package");

  script_tag(name:"solution_type", value:"VendorFix");

  script_cve_id("CVE-2016-1270");

  script_name("Juniper Networks Junos OS RPD BGP Update DoS Vulnerability");

  script_category(ACT_GATHER_INFO);

  script_family("JunOS Local Security Checks");
  script_copyright("Copyright (C) 2016 Greenbone AG");
  script_dependencies("gb_juniper_junos_consolidation.nasl");
  script_mandatory_keys("juniper/junos/detected");

  script_tag(name:"summary", value:"Junos OS is prone of a denial of service vulnerability
in RPD.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable OS build is present on the target host.");

  script_tag(name:"insight", value:"Upon receipt of a specially crafted BGP 'family l2vpn'
UPDATE message, the Junos OS rpd daemon will crash and restart.

This issue only affects BGP based L2VPN and VPLS configurations. No other configurations are
affected. The issue is not applicable to BGP Route Reflectors (RR).

Note that this issue can only be triggered from inside a customer's network. MPLS labels are
not usually exchanged outside the protected network, and are usually only received from a
PE or RR in the same network.");

  script_tag(name:"impact", value:"Receipt of a constant stream of crafted BGP updates could
lead to an extended denial of service.");

  script_tag(name:"affected", value:"Junos OS 12.1, 12.3, 13.2, 13.3, 14.1 and 14.2");

  script_tag(name:"solution", value:"New builds of Junos OS software are available from Juniper.");

  script_xref(name:"URL", value:"http://kb.juniper.net/JSA10737");

  exit(0);
}

include("host_details.inc");
include("revisions-lib.inc");
include("version_func.inc");

if (!version = get_app_version(cpe: CPE, nofork: TRUE))
  exit(0);

if (version =~ "^12") {
  if (revcomp(a: version, b: "12.1X44-D60") < 0) {
    report = report_fixed_ver(installed_version: version, fixed_version: "12.1X44-D60");
    security_message(port: 0, data: report);
    exit(0);
  }
  else if ((revcomp(a: version, b: "12.1X46-D45") < 0) &&
           (revcomp(a: version, b: "12.1X46") >= 0)) {
    report = report_fixed_ver(installed_version: version, fixed_version: "12.1X46-D45");
    security_message(port: 0, data: report);
    exit(0);
  }
  else if ((revcomp(a: version, b: "12.1X47-D30") < 0) &&
           (revcomp(a: version, b: "12.1X47") >= 0)) {
    report = report_fixed_ver(installed_version: version, fixed_version: "12.1X47-D30");
    security_message(port: 0, data: report);
    exit(0);
  }
  else if ((revcomp(a: version, b: "12.3R9") < 0) &&
           (revcomp(a: version, b: "12.3") >= 0)) {
    report = report_fixed_ver(installed_version: version, fixed_version: "12.3R9");
    security_message(port: 0, data: report);
    exit(0);
  }
  else if ((revcomp(a: version, b: "12.3X48-D20") < 0) &&
           (revcomp(a: version, b: "12.3X48") >= 0)) {
    report = report_fixed_ver(installed_version: version, fixed_version: "12.3X48-D20");
    security_message(port: 0, data: report);
    exit(0);
  }
}

if (version =~ "^13") {
  if (revcomp(a: version, b: "13.2R7") < 0) {
    report = report_fixed_ver(installed_version: version, fixed_version: "13.2R7");
    security_message(port: 0, data: report);
    exit(0);
  }
  else if ((revcomp(a: version, b: "13.2X51-D40") < 0) &&
           (revcomp(a: version, b: "13.2X51") >= 0)) {
    report = report_fixed_ver(installed_version: version, fixed_version: "13.2X51-D40");
    security_message(port: 0, data: report);
    exit(0);
  }
  else if ((revcomp(a: version, b: "13.3R6") < 0) &&
           (revcomp(a: version, b: "13.3") >= 0)) {
    report = report_fixed_ver(installed_version: version, fixed_version: "13.3R6");
    security_message(port: 0, data: report);
    exit(0);
  }
}

if (version =~ "^14") {
  if (revcomp(a: version, b: "14.1R4") < 0) {
    report = report_fixed_ver(installed_version: version, fixed_version: "14.1R4");
    security_message(port: 0, data: report);
    exit(0);
  }
  else if ((revcomp(a: version, b: "14.2R2") < 0) &&
           (revcomp(a: version, b: "14.2") >= 0)) {
    report = report_fixed_ver(installed_version: version, fixed_version: "14.2R2");
    security_message(port: 0, data: report);
    exit(0);
  }
}

exit(99);