Cisco is not the only one with vulnerable routing software. Juniper last week told all M- and T-Series router customers running releases of JUNOS software developed prior to Jan. 7, 2005, to upgrade the software or suffer a "serious security vulnerability."
"This vulnerability could be exploited either by a directly-attached neighboring device or by a remote attacker that can deliver certain packets to the router," according to a Juniper Technical Bulletin obtained by Network World. "Routers running vulnerable JUNOS software are susceptible regardless of the router's configuration. It is not possible to use firewall filters to protect vulnerable routers."
Juniper has assigned a risk level of "High" to this vulnerability. The bug is a blow to Juniper which prides itself on the stability and reliability of its software, especially when compared to Cisco's IOS.
To fix it, Juniper has modified JUNOS software to address the vulnerability, according to the technical bulletin. All versions of JUNOS software built on or after Jan. 22, 2005, contain the modified code, the bulletin states, while software built between Jan. 7 and Jan.y 22 may contain the modified code, depending on the specific JUNOS release.
"All customers are strongly encouraged to upgrade their software to a release that contains the modified code," the bulletin urges.
The bug was brought to the attention of the U.S. Computer Emergency Readiness Team by Qwest. Qwest declined to comment further on the vulnerability, citing a non-disclosure agreement with Juniper.
Juniper customer BellSouth says it was impacted by the bug and applied software patches to fix it. BellSouth says none of its customers were affected by it.
Cox Communications, which recently announced a deployment of Juniper M320 edge routers, rewrote some code and said its customers were not affected.
Juniper declined to comment beyond what was stated in the technical bulletin.