Vgil@nce: JUNOS, denial of service via LSP
July 2008 by Vigil@nce
SYNTHESIS
An attacker can send LSP ping or traceroute packets in order to
restart the rpd daemon.
Gravity: 2/4
Consequences: denial of service of computer
Provenance: intranet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 11/07/2008
Identifier: VIGILANCE-VUL-7944
IMPACTED PRODUCTS
– Juniper JUNOS [confidential versions]
DESCRIPTION
The RFC 4379 defines an equivalent of ping and traceroute for MPLS
LSP (Label Switched Paths).
JUNOS handles these packets since version 8.1. However, when the
rpd (Routing Protocol Daemon) daemon handles these packets, it
uses an invalid memory address, which leads to a reload.
An attacker can therefore create a temporary denial of service.
CHARACTERISTICS
Identifiers: PR/285811, PSN-2008-06-002, VIGILANCE-VUL-7944