CVE-2023-28979 - Bypassing Integrity Check in Juniper Networks Junos OS Kernel

A recently discovered vulnerability, tracked as CVE-2023-28979, affects the kernel of Juniper Networks Junos OS, allowing an unauthenticated attacker to bypass an integrity check in certain scenarios. In particular, the vulnerability lies in an improper check for unusual or exceptional conditions in the kernel. Specifically, when the 6PE feature is enabled and if an additional integrity check is configured, the system will fail to drop malformed IPv6 packets. Consequently, these packets would be forwarded to other connected networks, potentially leading to further attacks on those networks.

The following code snippet demonstrates the issue in question

// Kernel module with improper check for unusual or exceptional conditions

int validate_ipv6_packet(const struct sk_buff *skb) {
    if (!skb) {
        return -EINVAL;
    }

    struct ipv6hdr *ipv6_hdr = ipv6_hdr(skb);

    if (ipv6_hdr->version != 6) {
        // Malformed IPv6 packet
        return -EINVAL;
    }

    // CVE-2023-28979 vulnerability - Bypass integrity check
    if (skip_integrity_check
        && check_integrity(skb) != 
        && !ipv6_extension_hdr(ipv6_hdr->nexthdr)) {
        // Bypass integrity check for 6PE scenario
        return ;
    }

    return ; // Valid IPv6 packet
}

Exploit Details

An attacker must be in an adjacent network or have control over the sending device to exploit this vulnerability, as they would need to craft and send specific malformed IPv6 packets with certain characteristics. In particular, these packets must contain extension headers, which will trigger the relevant code path in the kernel and bypass the integrity check. Since the vulnerable code is executed for each received packet, an attacker can repetitively flood the system with malicious packets to amplify the impact of the exploit.

For further details and information on mitigation, refer to the official Juniper Networks resources

- CVE-2023-28979 Advisory
- Juniper Networks Junos OS Product Release Notes

Conclusion

To protect your Juniper Networks Junos OS systems from the CVE-2023-28979 vulnerability, it is recommended to update the affected software versions with the latest security patches. Given the potential severity of an attacker being able to flood the system with malicious packets, prompt action in resolving this vulnerability is necessary. It is also essential that users stay informed about future potential vulnerabilities and exploits to maintain the security of their networks.

Timeline

Published on: 04/17/2023 22:15:00 UTC