CVE-2020-1633 : Security Advisory and Response
Get insights on CVE-2020-1633 affecting Junos OS versions 17.4 to 19.2 on MX Series. Learn about the DoS risk caused by crafted packets passing through BNG with IPv6 NDP proxy.
This CVE-2020-1633 article provides details about a vulnerability affecting Junos OS on MX Series devices, potentially leading to a Denial of Service (DoS) due to crafted packets traversing a Broadband Network Gateway (BNG) with IPv6 NDP proxy enabled.
Understanding CVE-2020-1633
This section delves into the nature of the vulnerability and its implications.
What is CVE-2020-1633?
The vulnerability in Junos OS allows crafted NDPv6 packets to pass through a BNG with IPv6 NDP proxy to reach an EVPN leaf node, potentially causing a DoS by creating stale MAC address entries.
The Impact of CVE-2020-1633
The issue affects systems running Junos OS versions 17.4 and newer on MX Series, potentially leading to legitimate traffic discard and a DoS condition.
Technical Details of CVE-2020-1633
This section outlines technical aspects of the CVE.
Vulnerability Description
Crafted packets bypassing a BNG with NDP proxy can cause MAC address entries to stagnate, creating a DoS scenario.
Affected Systems and Versions
- Junos OS 17.4 to 19.2 on MX Series devices are impacted.
Exploitation Mechanism
- The attack vector involves adjacent network access and low attack complexity, with high availability impact.
Mitigation and Prevention
Here we detail steps to mitigate and prevent exploitation of this vulnerability.
Immediate Steps to Take
- Update affected software versions to those listed in the solutions provided by Juniper.
- Disable the Proxy ARP/NDP feature by configuring 'no-arp-suppression'.
Long-Term Security Practices
- Regularly update Junos OS to latest patched versions.
- Monitor network for abnormal traffic patterns indicating potential exploitation.
Patching and Updates
- Install updated software versions to address the vulnerability across impacted platforms.