Juniper Hotfixes Shut Down IPv6 DDoS Vulnerability

Juniper Networks announced patches for a serious vulnerability in the handling of IPv6 packets that is says could leave its Junos OS and JUNOSe routers open to a distributed denial of service (DDoS) attack.

Juniper Networks announced the availability of hotfixes for a serious vulnerability in the handling of IPv6 packets that is says could leave its Junos OS and JUNOSe routers open to a denial of service (DoS) attack. The hotfixes come more than two months after the vulnerabilities were publicly disclosed.

Juniper warned network administrators in June about the flaw, which occurs in the way its routers handle IPv6 packets and expose them to DDoS attacks. In a security alert issued Monday, it announced hotfixes and workarounds to address the vulnerability.

“A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery packet to be accepted by the router rather than discarded,” Juniper wrote in its bulletin.

Juniper said that the processing of IPv6 Neighbor Discovery packets could allow remote and unauthenticated attackers to perform a DDoS attack on various router models by feeding specially crafted bytes to targeted hardware.

“A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE (routing engine) CPU to spike, or cause the DDoS protection ARP protocol group policer to engage,” wrote Juniper in its security bulletin.

Juniper says it believes that vulnerability (CVE-2016-1409) presents a “medium” risk and on Monday published hotfixes for JUNOSe FC3 (LM10a, LM10U, LM10ADV) and FC2 (LM4) line cards.

Juniper says the fix addresses two separate issues with IPv6 Neighbor Discovery processing. One of those issues is Junos and JUNOSe routers failing to discard non-RFC4861-compliant IPv6 ND traffic destined to the router, allowing for a partial remote DoS attack, Juniper said. “Additionally, due to the routable nature of the crafted IPv6 ND packet, the attack may be launched from beyond the local broadcast domain,” Juniper explained.

The second separate issue is also tied to the IPv6 Neighbor Discovery processing. “QFX5100 exceptions transit IPv6 ND traffic to RE, allowing for a partial local DoS attack,” Juniper explains.

Juniper is not unique when it comes to tackling IPv6 vulnerabilities. In June, Cisco also dealt with a similar IPv6 Neighbor Discovery flaw that shares the same CVE (CVE-2016-1409). In Cisco’s case, it reported a vulnerability IPv6 processing that opened the door for a remote DDoS attack against various Cisco network appliances.

Simon Gibson, fellow security architect at Gigamon, said that both Juniper and Cisco’s security alerts were part of a multi-vendor disclosure tied to the way IPv6 was implemented by vendors. “This is not a flaw within IPv6. It’s a misconfiguration oversight that vendors can make with serious consequences,” Gibson said.

IPv6, or Internet Protocol version 6, was developed by the Internet Engineering Task Force (IETF) and deployed in 2008. The protocol was designed to solve problems associated IPv4 and the depletion of available IPv4 addresses.

Suggested articles