CVE-2017-10605 : What You Need to Know
Learn about CVE-2017-10605, a denial of service vulnerability in Junos OS affecting vSRX and SRX Series devices due to crafted DHCP packets. Find out the impacted systems, exploitation details, and mitigation steps.
A denial of service vulnerability in Junos OS affecting vSRX and SRX Series devices due to crafted DHCP packets.
Understanding CVE-2017-10605
What is CVE-2017-10605?
If DHCP or DHCP relay is configured on vSRX and SRX Series devices, a carefully constructed packet may lead to the crashing of the flowd process, resulting in a disruption or complete interruption of traffic flow through the device(s).
The Impact of CVE-2017-10605
- The vulnerability can cause a denial of service situation by crashing the flowd process, affecting traffic flow on the devices.
- In high-availability configurations, the data-plane may switch over to the secondary node, causing interruptions.
Technical Details of CVE-2017-10605
Vulnerability Description
The issue arises when specially crafted packets crash the flowd process, potentially leading to extended denial of service conditions.
Affected Systems and Versions
- Platforms: vSRX or SRX Series
- Junos OS versions affected: 12.1X46 prior to 12.1X46-D67, 12.3X48 prior to 12.3X48-D50, 15.1X49 prior to 15.1X49-D91, 15.1X49-D100
Exploitation Mechanism
- Attack Complexity: Low
- Attack Vector: Network
- Availability Impact: High
- Base Score: 8.6 (High)
Mitigation and Prevention
Immediate Steps to Take
- Ensure devices with DHCP or DHCP relay are updated to the fixed software releases.
- Monitor for unusual network behavior that could indicate exploitation.
Long-Term Security Practices
- Regularly update Junos OS to the latest versions to prevent vulnerabilities.
- Implement network segmentation to limit the impact of potential attacks.
Patching and Updates
- Software releases 12.1X46-D67, 12.3X48-D50, 15.1X49-D91, 15.1X49-D100, and later versions address this vulnerability.