CVE-2018-0020

Name of the Vulnerable Software and Affected Versions Junos OS versions prior to 14.1X53-D47 Junos OS versions prior to 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7 Junos OS versions prior to 15.1X49-D130 on SRX Junos OS versions prior to 15.1X53-D66 on QFX10K Junos OS versions prior to 15.1X53-D58 on EX2300/EX3400 Junos OS versions prior to 15.1X53-D233 on QFX5200/QFX5110 Junos OS versions prior to 15.1X53-D471 on NFX Junos OS versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S3, 16.1R6-S3, 16.1R7 Junos OS versions prior to 16.1X65-D47 Junos OS versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3 Junos OS versions prior to 17.1R2-S3, 17.1R3 Junos OS versions prior to 17.2R1-S3, 17.2R2-S1, 17.2R3 Junos OS versions prior to 17.2X75-D70 Junos OS versions 13.2 and later, excluding versions prior to 13.2R1

Description The issue exists due to insufficient input validation in the Junos OS, allowing a remote attacker to cause a denial of service or crash and restart of the routing process daemon (rpd) using specially crafted BGP UPDATE requests. This malformed BGP UPDATE does not propagate to other BGP peers. There is no known malicious exploitation of this issue.

Recommendations For versions prior to 14.1X53-D47, update to 14.1X53-D47 or later. For versions prior to 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7, update to 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7 or later. For versions prior to 15.1X49-D130 on SRX, update to 15.1X49-D130 or later. For versions prior to 15.1X53-D66 on QFX10K, update to 15.1X53-D66 or later. For versions prior to 15.1X53-D58 on EX2300/EX3400, update to 15.1X53-D58 or later. For versions prior to 15.1X53-D233 on QFX5200/QFX5110, update to 15.1X53-D233 or later. For versions prior to 15.1X53-D471 on NFX, update to 15.1X53-D471 or later. For versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S3, 16.1R6-S3, 16.1R7, update to 16.1R3-S8, 16.1R4-S9, 16.1R5-S3, 16.1R6-S3, 16.1R7 or later. For versions prior to 16.1X65-D47, update to 16.1X65-D47 or later. For versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3, update to 16.2R1-S6, 16.2R2-S5, 16.2R3 or later. For versions prior to 17.1R2-S3, 17.1R3, update to 17.1R2-S3, 17.1R3 or later. For versions prior to 17.2R1-S3, 17.2R2-S1, 17.2R3, update to 17.2R1-S3, 17.2R2-S1, 17.2R3 or later. For versions prior to 17.2X75-D70, update to 17.2X75-D70 or later. For versions 13.2 and later, excluding versions prior to 13.2R1, update to a fixed version or apply a configuration change to restrict BGP UPDATE requests.