US-CERT Warns on IPv6 Routing Software

Some versions of Juniper’s JUNOS router software, which helps direct network
traffic using the next-generation IPv6 Internet standard,
contain a flaw that can be exploited to cause a Denial of Service attack.

The vulnerability results from a memory leak within the IPv6 Packet
Forwarding Engine (PFE) when processing certain IPv6 packets, according to
the company, the United States Computer Emergency Readiness Team (US-CERT)
and the security firm Secunia.

“If an attacker submits multiple packets to a vulnerable router running an
IPv6-enabled PFE, the router can be repeatedly rebooted, essentially
creating a denial of service for the router,” US-CERT said in an advisory.

The problem affects all Juniper routers running JUNOS with a PFE released
between Feb. 24 and June 20. Products produced on or after June 21 contain
corrected code. Secunia classifies the problem as “moderately critical.”

Registered Juniper customers and partners can find a fix through the
support section
of the company’s site.

IPv6 is in line to succeed IPv4, which has been in use for almost 30 years
and cannot support emerging requirements for address space, mobility and
security in peer-to-peer networking.

IPv6 is designed to overcome these shortcomings. It also adds improvements,
such as routing and networking auto-configuration. IPv6 will coexist with
IPv4 and eventually provide better internetworking capabilities than those
currently available with IPv4.

Europe and the Pacific Rim have been developing
advanced services, particularly in the mobile computing sector, for the new
protocol while interest in this country has lagged. That changed last year when the
Pentagon announced it would convert to IPv6
within the next three years. In support of the Pentagon’s efforts, the IPv6
Task Force announced in October the launch of North America’s largest IPv6
pilot network.

The Juniper alert is the latest hit for the network equipment industry. Last
week, Cisco
flagged
a vulnerability in its flagship Collaboration Server (CCS) that could put users at risk
of malicious code execution.

Cisco, which dominates the market for switching and routing equipment used
to link networks, said it discovered the vulnerability in versions that ship with the ServletExec subcomponent.

Two months ago, Cisco confirmed
that hackers broke into its corporate network and stole chunks of the
source code for the popular IOS operating system.

Although the company doesn’t believe any customer information was stolen and
stressed that a product flaw was not to blame, the breach was nonetheless
embarrassing for a company that’s been touting security.

News Around the Web