Page MenuHomePhabricator
Create Task
Maniphest T334916

Juniper RA receive bug CVE-2023-28981
Closed, ResolvedPublic
Actions

Description

The following security advisory has been announced by Juniper:

2023-04 Security Bulletin: Junos OS and Junos OS Evolved: If malformed IPv6 router advertisements are received, memory corruption will occur which causes an rpd crash (CVE-2023-28981)
https://supportportal.juniper.net/s/article/2023-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-If-malformed-IPv6-router-advertisements-are-received-memory-corruption-will-occur-which-causes-an-rpd-crash-CVE-2023-28981?language=en_US

Our L3 switches and CR routers are potentially affected. The good news is only on our internal-interfaces towards our own servers, as only they have router-advertisements enabled. Still we may want to consider adding the mitigation Juniper suggest:

set firewall family inet6 filter test term 1 from next-header icmp6
set firewall family inet6 filter test term 1 from icmp-type 134
set firewall family inet6 filter test term 1 then discard
set firewall family inet6 filter test term 2 then accept

I'm not sure the risk is high enough to warrant a full upgrade cycle on the CRs.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Block inbound RAs on the routersoperations/homer/publicmaster+6 -0
Customize query in gerrit

Event Timeline

cmooney created this task.Apr 18 2023, 8:42 AM
cmooney triaged this task as Low priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 18 2023, 8:42 AM
ayounsi added a comment.Apr 18 2023, 9:50 AM

Agreed, the workaround sgtm!

Peachey88 updated the task description. (Show Details)Apr 18 2023, 10:44 AM
ayounsi moved this task from Backlog to This quarter on the netops board.Aug 9 2023, 12:25 PM
gerritbot added a comment.Sep 21 2023, 12:38 PM

Change 959732 had a related patch set uploaded (by Ayounsi; author: Ayounsi):

[operations/homer/public@master] Block inbound RAs on the routers

https://gerrit.wikimedia.org/r/959732

gerritbot added a project: Patch-For-Review.Sep 21 2023, 12:38 PM
gerritbot added a comment.Sep 25 2023, 6:50 AM

Change 959732 merged by jenkins-bot:

[operations/homer/public@master] Block inbound RAs on the routers

https://gerrit.wikimedia.org/r/959732

Stashbot added a comment.Sep 25 2023, 7:06 AM

Mentioned in SAL (#wikimedia-operations) [2023-09-25T07:06:10Z] <XioNoX> roll out "Block inbound RAs on the routers" - T334916

Maintenance_bot removed a project: Patch-For-Review.Sep 25 2023, 7:10 AM
ayounsi closed this task as Resolved.Sep 25 2023, 8:11 AM
ayounsi claimed this task.

Deployed

ayounsi added a comment.Sep 25 2023, 9:01 AM

This might need to be rolled back the day we start doing BGP unnumbered between spine and leaf as it seems to rely on it: https://www.theasciiconstruct.com/post/junos-bgp-and-bgp-unnumbered/#ipv6-configuration-for-bgp-unnumbered

cmooney added a comment.Sep 25 2023, 12:58 PM

Hmm yeah good point. We can probably upgrade devices to a release with the fix in it before then.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits