CVE-2019-0040

Name of the Vulnerable Software and Affected Versions Junos OS versions 15.1 through 15.1F6-S11 Junos OS versions 15.1X53 through 15.1X53-D235 Junos OS versions 16.1 through 16.1R7 Junos OS versions 16.2 through 16.2R2-S8 Junos OS versions 17.1 through 17.1R2 Junos OS versions 17.2 through 17.2R1-S7 Junos OS versions 17.3 through 17.3R1 Junos OS versions 17.4 through 17.4R1-S6

Description The issue is caused by insufficient input validation in the rpcbind server, which can lead to information disclosure and denial of service. On Junos OS, rpcbind should only listen to port 111 on the internal routing instance, but due to this issue, responses are generated from the source address of the management interface, disclosing internal addressing and existence of the management interface. A high rate of crafted packets destined to port 111 may also lead to a partial denial of service.

Recommendations For Junos OS versions 15.1 through 15.1F6-S11, update to version 15.1F6-S12 or later. For Junos OS versions 15.1X53 through 15.1X53-D235, update to version 15.1X53-D236 or later. For Junos OS versions 16.1 through 16.1R7, update to version 16.1R7-S1 or later. For Junos OS versions 16.2 through 16.2R2-S8, update to version 16.2R2-S9 or later. For Junos OS versions 17.1 through 17.1R2, update to version 17.1R3 or later. For Junos OS versions 17.2 through 17.2R1-S7, update to version 17.2R1-S8 or later. For Junos OS versions 17.3 through 17.3R1, update to version 17.3R2 or later. For Junos OS versions 17.4 through 17.4R1-S6, update to version 17.4R1-S7 or later.