Junos SIP ALG Denial of Service Vulnerability

Summary
DoS on SRX devices when SIP ALG is enabled
Impact
Repeated crashes of the flowd process constitutes an extended denial of service condition for the SRX Series device.
Solution
New builds of Junos OS software are available from Juniper. As a workaround disable SIP ALG or enable flow-based processing for IPv6 traffic.
Insight
On SRX Series devices, when SIP ALG is enabled, a certain crafted SIP packet may cause the flowd process to crash. SIP ALG is enabled by default on SRX Series devices except for SRX-HE devices. SRX-HE devices have SIP ALG disabled by default. The status of ALGs can beobtained by executing the 'show security alg status' CLI command.
Affected
Junos OS 12.1X46 and 12.1X47
Detection
Check the OS build.
References

Updated on 2015-03-25