Jonas, Correct firewall filters *will* block it as the firewall filter will keep the tcp port even responding. However if your router has a tcp port open to a specific subnet IP's on that subnet will be able to exploit. In other words there is no specific firewall filter that can be put in place to completely protect the router from this attack (i.e. don't accept a tcp packet with these flags).
Best practices are obviously to configure firewall filters to only allow trusted networks to access the router via telnet/ssh/etc and only trusted hosts to connect via BGP. If those are in place your router is much less vulnerable. While it is a major issue it is one that should not be a problem if you have your firewall filters locked down properly. Just my 2 cents. -Tim Eberhard On Tue, Jan 12, 2010 at 11:22 AM, Jonas Frey <j...@probe-networks.de> wrote: > Hello, > > i have tried exploiting this on various junos version (8.2, 8.5, 9.2), > all of them crashed immediatly at tcp_input() and rebooted after dumping > the core. > > However 7.4 seems to be not vulnerable. Atleast the version i have here > (7.4I20071211_1225_pgoyette) is not affected. Therefor i guess > everything below this (atleast) is not vulnerable...that would explain > why juniper had 6.x removed from the advisory on vulnerable releases. > (But 7.x is still listed...). > I still have 6.x somewhere...if anyone is interessted i can try this on > a spare unit. > > One more thing: I was able to firewall this on all releases. So ACL's do > work for some extend. Also you need an open port for this to work (BGP > etc). > > Regards, > Jonas Frey > > On Fri, 2010-01-08 at 17:41, Florian Weimer wrote: > > * Barry Greene: > > > > > The information is in the security advisory. > > > > Are the PSNs the security advisory you are referring to? > > > > I didn't see a security advisory as such, and I'm wondering if I'm > > missing anything. > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp