CVE-2019-0007

Summary

The vMX Series software uses a predictable IP ID Sequence Number. This leaves the system as well as clients connecting through the device susceptible to a family of attacks which rely on the use of predictable IP ID sequence numbers as their base method of attack. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F5 on vMX Series.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS15.1 < 15.1F5affected

Weaknesses

  • Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Workarounds

When used in whole, the following workaround methods may reduce the risk of information exfiltration from the customer environment, and reduce the chance of being subjected to, or propagating D/DoS attacks against other targets.

Deny incoming packets with invalid source addresses From reaching the device. Utilize egress filtering to prevent invalid / spoofed packets from leaving your network(s). Enable stateful firewall filters where possible. Utilize SYN-based anti-flood protection mechanisms where possible to reduce or avoid D/DoS attacks.

ADP Enrichment

CVE Program Container

Additional References

References