[BreachExchange] Juniper Bug Allows RCE and DoS Against Carrier Networks

Tue Jul 20 10:54:03 EDT 2021

https://www.ehackingnews.com/2021/07/juniper-bug-allows-rce-and-dos-against.html

Juniper Networks' Steel-Belted Radius (SBR) Carrier Edition has a severe
remote code-execution vulnerability that leaves wireless carrier and fixed
operator networks vulnerable to tampering. By centralizing user
authentication, giving the proper level of access, and verifying compliance
with security standards, telecom carriers utilize the SBR Carrier server to
manage policies for how subscribers use their networks. It enables carriers
to distinguish service tiers, diversify revenue models, and manage network
resources.

Juniper Networks, Inc. is a multinational technology company based in
Sunnyvale, California. Routers, switches, network management software,
network security solutions, and software-defined networking technology are
among the networking products developed and sold by the company. Pradeep
Sindhu started the company in 1996, with Scott Kriens serving as the
original CEO until September 2008. Juniper Networks began by specializing
in core routers, which are used by internet service providers (ISPs) to
execute IP address lookups and route internet traffic.

SBR Carrier versions 8.4.1, 8.5.0, and 8.6.0 that use the extensible
authentication protocol are affected by the bug (CVE-2021-0276). It was on
Wednesday, Juniper released a patch. On the CVSS vulnerability-severity
rating scale, it gets a 9.8 out of 10. According to Juniper's advisory,
it's a stack-based buffer-overflow vulnerability that an attacker can
exploit by sending specially designed packets to the platform, causing the
RADIUS daemon to crash. This can cause RCE as well as denial-of-service
(DoS), which prevents phone subscribers from having a network connection.

The flaw is one of the dozens that the networking giant patched this week
across its carrier and corporate product lines, including multiple
high-severity flaws that could be used to launch DoS assaults. Juniper
claims that one of these can also be used for RCE. CVE-2021-0277 is an
out-of-bounds read vulnerability that affects Junos OS (versions 12.3,
15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1,
20.2, 20.3 and 20.4), as well as Junos OS Evolved (all versions).

The problem occurs when the Layer 2 Control Protocol Daemon (l2cpd)
processes specially designed LLDP frames (l2cpd). On a local area network
(usually over wired Ethernet), network devices utilize LLDP to advertise
their identification, capabilities, and neighbors. “Continued receipt and
processing of these frames, sent from the local broadcast domain, will
repeatedly crash the l2cpd process and sustain the DoS condition,” Juniper
said in its advisory, issued on Thursday.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210720/4228ff16/attachment.html>