Overview
Multiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router.
This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. RFC 7606 Introduction
Description
The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in RFC 7606 Revised Error Handling for BGP UPDATE Messages in 2015.
Recent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).
This vulnerability was first announced as affecting OpenBSD based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the Systems Affected section below. Here are the CVE IDs that were reserved by the reporter for different vendors that were tested:
- CVE-2023-4481 (Juniper)
- CVE-2023-38802 (FRR)
- CVE-2023-38283 (OpenBGPd)
- CVE-2023-40457 (EXOS)
Impact
A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.
Solution
The CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:
(Juniper)
set protocols bgp bgp-error-tolerance
(Nokia)
[router bgp group]
error-handling update-fault-tolerance
Acknowledgements
Thanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.
Vendor Information
D-Link Systems Inc. Affected
Statement Date: July 31, 2023
| VU#347067.1 | Affected |
Vendor Statement
23-0731 D-Link US SIRT :: security@dlink.com
For owners of D-Link SKUs the affected model list with fixes under development:
- DGS-3630 Series
- DXS-3610 Series
- DWM-3010 Hardware Revision A1 & A2
- DWM-321 Hardware Revision A2
NOT affected models that associate with affected solutions: 5. DXS-3400 All Hardware revision not affected
Model affected, however have work-around to avoid issue 6. DXS-5000 Hardware Revision A1 7. DQS-5000 Hardware Revision A1 Workaround temporally solution :
a) Provide filter or restricted settings for attributes in BGP UPDATE
b) filter-list : filter-list as-path-list-number {in | out} / no filter-list as-path-list-number {in | out}
c) neighbor filter-list: neighbor {ipv4-address | ipv6-address} filter-list as-path-list-number {in | out} / no neighbor {ipv4-address | ipv6-address} filter-list as-path-list-number {in | out}
d) bgp maxas-limit: bgp maxas-limit number / no bgp maxas-limit
e) timers policy-apply delay, timers policy-apply delay delay / no timers policy-apply delay
F5 Networks Affected
Statement Date: November 16, 2023
| VU#347067.1 | Affected |
Vendor Statement
F5 BIG-IP products are affected thru vulnerable component ZebOS bgpd from IP Infusion. F5 published K000137315: ZebOS BGP vulnerability CVE-2023-45886, https://my.f5.com/manage/s/article/K000137315. CVE-2023-45886 was requested by F5 from MITRE as IP Infusion is not a CNA.
Juniper Networks Affected
Statement Date: August 29, 2023
| VU#347067.1 | Affected |
Vendor Statement
Please visit:
https://kb.juniper.net/JSA72510
Customers are advised to immediately implement BGP error tolerance by way of: [ protocols bgp bgp-error-tolerance ... ]
Additional details can be found at https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/topic-map/bgp-error-messages.html
Juniper considers configuring this option to be a Best Common Practice (BCP) as it not only prevents this issue from happening, but protects against similar issues as well.
Palo Alto Networks Affected
Statement Date: September 14, 2023
| VU#347067.1 | Affected |
Vendor Statement
https://security.paloaltonetworks.com/CVE-2023-38802
Red Hat Affected
Statement Date: July 12, 2023
| VU#347067.1 | Affected |
Vendor Statement
Red Hat Enterprise Linux is affected because the affected package (frr) is shipped on RHEL.
Systems not running frr as a BGP router are not vulnerable to this CVE.
Ubuntu Affected
Statement Date: July 19, 2023
| VU#347067.1 | Affected |
Vendor Statement
We have not received a statement from the vendor.
Akamai Technologies Inc. Not Affected
Statement Date: August 28, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Arista Networks Not Affected
Statement Date: July 12, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Aruba Networks Not Affected
Statement Date: August 02, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
AVM GmbH Not Affected
Statement Date: July 12, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
No BGP support in AVM's home routers.
Belden Not Affected
Statement Date: August 01, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Brocade Communication Systems Not Affected
Statement Date: July 12, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
No Brocade Fibre Channel Products from Broadcom is affected.
Cisco Not Affected
Statement Date: August 30, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Dell Not Affected
Statement Date: August 28, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Deutsche Telekom Not Affected
Statement Date: August 07, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Extreme Networks Not Affected
Statement Date: August 28, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
Extreme follows RFC 4271 and does not implement RFC 7606. Since we perform as per our claimed RFC compliance, there is no vulnerability as the customer does not expect RFC 7606 behavior. We do not view this as a vulnerability, but rather, an issue of RFC compliance. There is no incorrect length handling issue.
Fastly Not Affected
Statement Date: July 18, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
FreeBSD Not Affected
Statement Date: July 18, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
The FreeBSD Project does not include a BGP implementation with the base system. However, users can install third-party BGP implementations from binary packages or the ports tree. These may be affected.
HardenedBSD Not Affected
Statement Date: July 12, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
HardenedBSD does not ship with a BGP daemon in base. However, the ports tree does contain affected projects. Given the lack of BGP support in base, the HardenedBSD project is marked as unaffected.
Illumos Not Affected
Statement Date: July 12, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
illumos has no BGP, and expects its users to pull from their distro or other sources. illumos will advise distros to update their BGP IF they have one.
Intel Not Affected
Statement Date: July 17, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
Intel is not impacted by this issue in either our products or company infrastructure.
lwIP Not Affected
Statement Date: July 13, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
MikroTik Not Affected
Statement Date: September 01, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Mitel Networks Not Affected
Statement Date: July 12, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Muonics Inc. Not Affected
Statement Date: July 17, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
Muonics has no products implementing BGP at this time.
NetBSD Not Affected
Statement Date: July 18, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
NetBSD doesn't come with any BGP software.
Some third-party BGP software may be available in pkgsrc, like quagga, and that software may be affected.
NetComm Wireless Limited Not Affected
Statement Date: August 22, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Nozomi Networks Not Affected
Statement Date: July 13, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
TP-LINK Not Affected
Statement Date: July 14, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Treck Not Affected
Statement Date: July 13, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Untangle Not Affected
Statement Date: July 12, 2023
| VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
A10 Networks Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Actiontec Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ADTRAN Unknown
Statement Date: July 21, 2023
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Alcatel-Lucent Enterprise Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Allied Telesis Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Amazon Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
American Megatrends Incorporated (AMI) Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Arcadyan Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ARRIS Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
AT&T Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Avaya Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Barracuda Networks Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
BlackBerry Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Blackberry QNX Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Broadcom Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Buffalo Technology Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cambium Networks Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
CA Technologies Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Check Point Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Comcast Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Commscope Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Contiki OS Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cradlepoint Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
dd-wrt Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ericsson Unknown
Statement Date: August 29, 2023
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Fortinet Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
F-Secure Corporation Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Google Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Green Hills Software Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HCC Embedded Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hewlett Packard Enterprise Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HP Inc. Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HTC Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Huawei Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Corporation (zseries) Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Infoblox Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Internet Initiative Japan Inc. Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Internet Systems Consortium Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IP Infusion Inc. Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Joyent Unknown
Statement Date: July 12, 2023
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
LANCOM Systems GmbH Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Lenovo Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
LiteSpeed Technologies Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
McAfee Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
MediaTek Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Medtronic Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Microsoft Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Miredo Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Motorola Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
National Cyber Security Center Netherlands Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
National Cyber Security Centre Finland Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NEC Corporation Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NETGEAR Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NETSCOUT Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NLnet Labs Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Nokia Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
OpenWRT Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
pfSense Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Quagga Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Qualcomm Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ruckus Wireless Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
SUSE Linux Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Synology Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Technicolor Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Tizen Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Turbolinux Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ubiquiti Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
VMware Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Wind River Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xiaomi Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
XigmaNAS Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xilinx Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ZTE Corporation Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Zyxel Unknown
| VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
- http://tools.ietf.org/html/rfc4271
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481
- http://tools.ietf.org/html/rfc7606
- https://github.com/FRRouting/frr/pull/14290
- https://kb.juniper.net/JSA72510
- https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
Other Information
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2023-09-12 |
| Date First Published: | 2023-09-12 |
| Date Last Updated: | 2023-11-16 14:03 UTC |
| Document Revision: | 3 |