Easily spoofed traffic can crash routers, Juniper warns

JMH · 07 Jan 2010

Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic.
In an advisory sent Wednesday afternoon, the networking company said a variety of devices could be forced to reboot by sending them internet packets with maliciously formed TCP options. The flaw affects versions 3 through 10 of Junos, the operating system that powers devices at ISPs, backbones, and other large networks. Software releases built on or after January 28, 2009 have already fixed the issue.

More -
Easily spoofed traffic can crash routers, Juniper warns ? The Register

dmex · 07 Jan 2010

"Because of Juniper's 'Entitled Disclosure Policy,' only our customers and partners are allowed access to the details of the Security Advisory," the spokeswoman wrote.

Microsoft tried to keep details of advisories secret years ago and it did no one any good whatsoever and the question I heard Microsoft consistently asked is How many years has it been there and exploited? Juniper is not the only technically competent people using the internet and their hardware and so should grow up

Digerati · 08 Jan 2010

There are a couple disturbing issues here.

1. Software releases built on or after January 28, 2009 have already fixed the issue. So the fix has been out there for a year - if this is still a problem, then the ISP is at fault for not upgrading their software, not Juniper. Now granted, updating software on major network/ISP routers is a big ordeal, but a year is long enough to schedule the outage and do the upgrade.

2. I don't think the Microsoft comparison is a fair comparison. First, the goal of keeping these vulnerabilities secret is to minimize the information getting to all the wannabe hackers out there until a fix could be developed and pushed out. The problem with MS in the past was XP. XP was designed (at user request) to support [unsafe] legacy (DOS Era) and expensive hardware and software. Security was not that big a deal for home users when XP was created. High speed access to the home was almost non-existent. The problem with MS was their PR people trying to spin the story when it broke when they should have just been straight with the public. The "cover-up" is almost always worse than the actual crime.

In this case with Juniper, it says,

only our customers and partners are allowed access to the details of the Security Advisory

I see nothing wrong with that - AS LONG AS that information is readily available to those affected. Customers should notified, and not find out by reading a press bulletin.