CVE-2020-1660

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS versions prior to 17.3R3-S8 Juniper Networks Junos OS versions prior to 18.3R3-S1 Juniper Networks Junos OS versions prior to 18.4R3 Juniper Networks Junos OS versions prior to 19.1R3 Juniper Networks Junos OS versions prior to 19.2R2 Juniper Networks Junos OS versions prior to 19.3R3

Description The issue is caused by errors in synchronization when using a shared resource in the Multiservices PIC Management Daemon (mspmand) process. When DNS filtering is enabled on Juniper Networks Junos MX Series with one of the following cards MS-PIC, MS-MIC or MS-MPC, an incoming stream of packets processed by the mspmand process may crash, causing the Services PIC to restart. While the Services PIC is restarting, all PIC services including DNS filtering service will be bypassed until the Services PIC completes its boot process. This might allow an attacker to cause an extended Denial of Service (DoS) attack against the device and to cause clients to be vulnerable to DNS based attacks by malicious DNS servers when they send DNS requests through the device.

Recommendations For Juniper Networks Junos OS versions prior to 17.3R3-S8, update to version 17.3R3-S8 or later. For Juniper Networks Junos OS versions prior to 18.3R3-S1, update to version 18.3R3-S1 or later. For Juniper Networks Junos OS versions prior to 18.4R3, update to version 18.4R3 or later. For Juniper Networks Junos OS versions prior to 19.1R3, update to version 19.1R3 or later. For Juniper Networks Junos OS versions prior to 19.2R2, update to version 19.2R2 or later. For Juniper Networks Junos OS versions prior to 19.3R3, update to version 19.3R3 or later. As a temporary workaround, consider disabling the DNS filtering service until a patch is available. Restrict access to the Multiservices PIC Management Daemon (mspmand) process to minimize the risk of exploitation. Avoid using the DNS filtering service in the affected API endpoint until the issue is resolved.