RealTime IT News

US-CERT Warns on IPv6 Routing Software

Some versions of Juniper's JUNOS router software, which helps direct network traffic using the next-generation IPv6 Internet standard, contain a flaw that can be exploited to cause a Denial of Service attack.

The vulnerability results from a memory leak within the IPv6 Packet Forwarding Engine (PFE) when processing certain IPv6 packets, according to the company, the United States Computer Emergency Readiness Team (US-CERT) and the security firm Secunia.

"If an attacker submits multiple packets to a vulnerable router running an IPv6-enabled PFE, the router can be repeatedly rebooted, essentially creating a denial of service for the router," US-CERT said in an advisory.

The problem affects all Juniper routers running JUNOS with a PFE released between Feb. 24 and June 20. Products produced on or after June 21 contain corrected code. Secunia classifies the problem as "moderately critical."

Registered Juniper customers and partners can find a fix through the support section of the company's site.

IPv6 is in line to succeed IPv4, which has been in use for almost 30 years and cannot support emerging requirements for address space, mobility and security in peer-to-peer networking.

IPv6 is designed to overcome these shortcomings. It also adds improvements, such as routing and networking auto-configuration. IPv6 will coexist with IPv4 and eventually provide better internetworking capabilities than those currently available with IPv4.

Europe and the Pacific Rim have been developing advanced services, particularly in the mobile computing sector, for the new protocol while interest in this country has lagged. That changed last year when the Pentagon announced it would convert to IPv6 within the next three years. In support of the Pentagon's efforts, the IPv6 Task Force announced in October the launch of North America's largest IPv6 pilot network.

The Juniper alert is the latest hit for the network equipment industry. Last week, Cisco flagged a vulnerability in its flagship Collaboration Server (CCS) that could put users at risk of malicious code execution.

Cisco, which dominates the market for switching and routing equipment used to link networks, said it discovered the vulnerability in versions that ship with the ServletExec subcomponent.

Two months ago, Cisco confirmed that hackers broke into its corporate network and stole chunks of the source code for the popular IOS operating system.

Although the company doesn't believe any customer information was stolen and stressed that a product flaw was not to blame, the breach was nonetheless embarrassing for a company that's been touting security.