CVE-2017-10611 Explained : Impact and Mitigation
Learn about CVE-2017-10611, a Juniper Networks Junos OS vulnerability causing PFE and FPC crashes on specific platforms when 'extended-statistics' are enabled. Find mitigation steps and affected versions.
Enabling extended statistics using the 'set chassis extended-statistics' command can lead to a crash and restart of the pfem process or FPC when executing any operation that fetches interface statistics, such as SNMP GET requests. This issue affects specific Juniper Networks Junos OS versions on MX Series and EX Series platforms.
Understanding CVE-2017-10611
What is CVE-2017-10611?
CVE-2017-10611 is a vulnerability in Juniper Networks Junos OS that can cause PFE and FPC crashes on certain platforms when 'extended-statistics' are enabled.
The Impact of CVE-2017-10611
The vulnerability has a CVSS base score of 6.5, indicating a medium severity issue with a high impact on availability. It can lead to extended denial of service situations.
Technical Details of CVE-2017-10611
Vulnerability Description
Enabling 'extended-statistics' can trigger crashes in the pfem process or FPC when fetching interface statistics, affecting specific Junos OS versions on MX Series and EX Series platforms.
Affected Systems and Versions
- MX Series: 14.1 prior to 14.1R8-S5, 14.1R9; 14.2 prior to 14.2R7-S9, 14.2R8; 15.1 prior to 15.1F5-S8, 15.1F6-S8, 15.1R5-S3, 15.1R6; 16.1 prior to 16.1R4-S5, 16.1R5, 16.1R6; 16.2 prior to 16.2R2-S1, 16.2R3; 17.1 prior to 17.1R2-S2, 17.1R3; 17.2 prior to 17.2R1-S3, 17.2R2; 17.2X75 prior to 17.2X75-D50; 17.3 prior to 17.3R1-S1, 17.3R2
- EX2200, EX3300, XRE200: 14.1X53 prior to 14.1X53-D46, 14.1X53-D50; 16.1X65 prior to 16.1X65-D45
Exploitation Mechanism
The issue arises when 'extended-statistics' are enabled under the [edit chassis] configuration, leading to crashes in PFE processing during operations fetching interface statistics.
Mitigation and Prevention
Immediate Steps to Take
- Disable chassis extended-statistics
- Use access lists or firewall filters to limit access to the router via SNMP or CLI only from trusted hosts and administrators
Long-Term Security Practices
- Regularly update Junos OS to the patched versions
Patching and Updates
The issue is resolved in software releases: 14.1R8-S5, 14.1R9, 14.1X53-D46, 14.1X53-D50, 14.2R7-S9, 14.2R8, 15.1F5-S8, 15.1F6-S8, 15.1R5-S3, 15.1R6, 16.1R4-S5, 16.1R5, 16.1X65-D45, 16.2R2-S1, 16.2R3, 17.1R2-S2, 17.1R3, 17.2R1-S3, 17.2R2, 17.2X75-D50, 17.3R1-S1, 17.3R2, 17.4R1, and all subsequent releases.