{"vuid":"VU#347067","idnumber":"347067","name":"Multiple BGP implementations are vulnerable to improperly formatted BGP updates","keywords":null,"overview":"### Overview\r\nMultiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router. \r\n\r\n> This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. <a href=\"https://datatracker.ietf.org/doc/html/rfc7606#section-1\">RFC 7606 Introduction</a> \r\n\r\n### Description\r\nThe Border Gateway Protocol (BGP, <a href=\"http://tools.ietf.org/html/rfc4271\">RFC 4271</a>) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in <a href=\"http://tools.ietf.org/html/rfc7606\">RFC 7606</a> *Revised Error Handling for BGP UPDATE Messages* in 2015. \r\n\r\nRecent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).\r\n\r\nThis vulnerability was first announced as affecting [OpenBSD](https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig) based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the <a href=\"#systems\">Systems Affected</a> section below.\r\nHere are the CVE IDs that were reserved by the reporter for different vendors that were tested:\r\n\r\n* [CVE-2023-4481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481) (Juniper)\r\n* [CVE-2023-38802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802) (FRR)\r\n* [CVE-2023-38283](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283) (OpenBGPd)\r\n* [CVE-2023-40457](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457) (EXOS)\r\n\r\n### Impact\r\nA remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.\r\n\r\n### Solution\r\nThe CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:\r\n\r\n**(Juniper)**<br>\r\nset protocols bgp bgp-error-tolerance\r\n\r\n**(Nokia)**<br>\r\n[router bgp group]<br>\r\nerror-handling update-fault-tolerance\r\n\r\n### Acknowledgements\r\nThanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.","clean_desc":null,"impact":null,"resolution":null,"workarounds":null,"sysaffected":null,"thanks":null,"author":null,"public":["http://tools.ietf.org/html/rfc4271","https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481","http://tools.ietf.org/html/rfc7606","https://github.com/FRRouting/frr/pull/14290","https://kb.juniper.net/JSA72510","https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling"],"cveids":[],"certadvisory":null,"uscerttechnicalalert":null,"datecreated":"2023-09-12T16:36:11.347737Z","publicdate":"2023-09-12T16:36:10.200256Z","datefirstpublished":"2023-09-12T16:36:11.380361Z","dateupdated":"2024-12-20T13:55:28.520883Z","revision":4,"vrda_d1_directreport":null,"vrda_d1_population":null,"vrda_d1_impact":null,"cam_widelyknown":null,"cam_exploitation":null,"cam_internetinfrastructure":null,"cam_population":null,"cam_impact":null,"cam_easeofexploitation":null,"cam_attackeraccessrequired":null,"cam_scorecurrent":null,"cam_scorecurrentwidelyknown":null,"cam_scorecurrentwidelyknownexploited":null,"ipprotocol":null,"cvss_accessvector":null,"cvss_accesscomplexity":null,"cvss_authentication":null,"cvss_confidentialityimpact":null,"cvss_integrityimpact":null,"cvss_availabilityimpact":null,"cvss_exploitablity":null,"cvss_remediationlevel":null,"cvss_reportconfidence":null,"cvss_collateraldamagepotential":null,"cvss_targetdistribution":null,"cvss_securityrequirementscr":null,"cvss_securityrequirementsir":null,"cvss_securityrequirementsar":null,"cvss_basescore":null,"cvss_basevector":null,"cvss_temporalscore":null,"cvss_environmentalscore":null,"cvss_environmentalvector":null,"metric":null,"vulnote":90}