Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic. In an advisory sent Wednesday afternoon, the networking company said a variety of devices could be forced to reboot by sending them internet packets …
This appears to demonstrate a serious omission of very basic levels of testing.
Seems like with the history of malformed headers destroying network devices, their QA process would include some basic testing along those lines. It'd be pretty simple to test all combination of options in the headers for every protocol the device can parse, and header fuzzing isn't exactly complicated either... Makes you wonder what they're doing over there.
Oh dear, the Juniper fanbois are only slightly less manic than Apple one's - I'm sure an IOS vs JunOS security/stability debate would not get excitable readers posting gumph.
one man's loss is another man's gain
haha, this article saved my ass. I'm working from home today and had problems access our juniper network...kept trying to explain to the boss that there is a problem....and the IT people are saying.."no, everything is ok"...so I was like..."in your face IT people....hear it from the horse's mouth ;)"
doesn't this remind of the say "one man's loss is another man's gain" ;)
Unless your juniper routers were rebooting all day today (which should be pretty easy to check) this is pretty much irrelevant to your efforts to connect from home ...
it's probably not as bad as you might think
All Junos software releases built on or after January 28, 2009 have fixed this specific issue.
In short, we fixed this particular problem about 350 days ago.
Given that regular (non-Extended End of Life) Junos releases have a 9 month shelf life there's a really good chance that your Junos devices were already running a release that does not have this specific issue before you learned of the issue.
If you're still running a version of Junos that's older than January 27, 2009, you should plan your upgrade properly and begin upgrading your devices in a methodical way.
If you need some more information, please reach out to your Juniper account team and your Juniper reseller.
There's also a lot of great information on Junos Central. http://www.juniper.net/junos/
Disclaimer: I work for Juniper as a Systems Engineer.
Not a big deal?
I guess that's why Quest had an unannounced outage, because it wasn't a big deal :)
"We just had a qwest outage of about 2 mins at 1:41am pst. When I called to report it I was told it was a 200+ emergency software upgrade due to a security concern, and that we will get a notice later after the fact. Normally we get notices in advance, even for software upgrades due to security or other important issues, so I am curious if other qwest customers had the same experience and wether this is how it's going to be from here on in? The affected platform was juniper and I'd love to know the specfic case being addressed here." - Mike
Not so bad eh?
"In short, we fixed this particular problem about 350 days ago."
Well, sort of. The criticality of the defect was certainly reclassified, so the fix made a while back actually seems divorced from the discovery that this problem leads to a kernel crash based on a remote exploit. The Juniper advisory itself reads this way, suggesting that the fix was made without knowing that it was a fix for a remote exploit. This is not that uncommon, problems are fixed for one reason, without ever knowing there was an even better reason for correcting it.
But routers, especially high capacity ones, are only patched for serious reasons. So a defect identified but not reported in the same way back in January 2009 does not carry the affect of releasing a bulletin labeled critical yesterday. The second makes people maintaining those routers move, as the example below shows.
Qwest, like other backbone providers, doesn’t have unannounced outages for unspecified security concerns over “not as bad as you might think” issues: