Here’s some firewall rules while we work on a fix
That IPv6 neighbour packet discovery bug Cisco warned about last week? Juniper has just followed Switchzilla by warning it has the same problem.
When Cisco announced the vuln, it said other IPv6 implementations would also be at risk.
The Gin Palace agrees: CVE-2016-1409 is an issue for anybody running Junos OS.
The advisory provides some extra detail on how the bug functions, as follows:
The crafted packet, destined to the router, will then be processed by the routing engine (RE).
A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbours as legitimate ND times out.
Juniper says the CVE exploits how routers would respond to “any purposeful malicious IPv6” neighbour discovery flood, with the detail that the crafted packet should be disallowed by the forwarding controllers or ASICs from reaching the routing engine.
“Additionally, due to the routable nature of the crafted IPv6 ND packet, the attack may be launched from beyond the local broadcast domain”, the advisory adds.
Juniper is working on a fix for Junos OS.
In the meantime, the advisory includes firewall rules to block the neighbour discovery packets at the network edge. However, the company notes that firewalling is not a complete workaround, and in particular an edge filter wouldn’t protect against a locally launched attack.
Cisco has started shipping code to fix the vulnerability.
The advisory it published last week has been updated to state that Cisco IOS XR software maintenance updates asr9k-px-5.3.2.CSCuz66542.pie and hfr-px-5.3.3.CSCuz66542.pie.
Other IOS versions are still awaiting update. ®
Sponsored: Rise of the machines