{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/347067#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nMultiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router. \r\n\r\n> This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. <a href=\"https://datatracker.ietf.org/doc/html/rfc7606#section-1\">RFC 7606 Introduction</a> \r\n\r\n### Description\r\nThe Border Gateway Protocol (BGP, <a href=\"http://tools.ietf.org/html/rfc4271\">RFC 4271</a>) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in <a href=\"http://tools.ietf.org/html/rfc7606\">RFC 7606</a> *Revised Error Handling for BGP UPDATE Messages* in 2015. \r\n\r\nRecent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).\r\n\r\nThis vulnerability was first announced as affecting [OpenBSD](https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig) based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the <a href=\"#systems\">Systems Affected</a> section below.\r\nHere are the CVE IDs that were reserved by the reporter for different vendors that were tested:\r\n\r\n* [CVE-2023-4481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481) (Juniper)\r\n* [CVE-2023-38802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802) (FRR)\r\n* [CVE-2023-38283](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283) (OpenBGPd)\r\n* [CVE-2023-40457](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457) (EXOS)\r\n\r\n### Impact\r\nA remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.\r\n\r\n### Solution\r\nThe CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:\r\n\r\n**(Juniper)**<br>\r\nset protocols bgp bgp-error-tolerance\r\n\r\n**(Nokia)**<br>\r\n[router bgp group]<br>\r\nerror-handling update-fault-tolerance\r\n\r\n### Acknowledgements\r\nThanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Red Hat Enterprise Linux is affected because the affected package (frr) is shipped on RHEL.\r\n\r\nSystems not running frr as a BGP router are **not** vulnerable to this CVE.","title":"Vendor statment from Red Hat"},{"category":"other","text":"23-0731 D-Link US SIRT :: security@dlink.com\r\n\r\nFor owners of D-Link SKUs the affected model list with fixes under development:\r\n\r\n1. DGS-3630 Series\r\n2. DXS-3610 Series\r\n3. DWM-3010 Hardware Revision A1 & A2\r\n4. DWM-321  Hardware Revision A2\r\n\r\nNOT affected models that associate with affected solutions:\r\n5. DXS-3400  All Hardware revision not affected\r\n\r\nModel affected, however have work-around to avoid issue\r\n6. DXS-5000 Hardware Revision A1\r\n7. DQS-5000 Hardware Revision A1\r\n  Workaround temporally  solution : \r\n\r\n\ta) Provide filter or restricted settings for attributes in BGP UPDATE\r\n\tb) filter-list : filter-list as-path-list-number {in | out} / no filter-list as-path-list-number {in | out}\r\n\tc) neighbor filter-list: neighbor {ipv4-address | ipv6-address} filter-list as-path-list-number {in | out} / no neighbor {ipv4-address |                     ipv6-address} filter-list as-path-list-number {in | out}\r\n\td) bgp maxas-limit:  bgp maxas-limit number / no bgp maxas-limit\r\n\te) timers policy-apply delay, timers policy-apply delay delay / no timers policy-apply delay","title":"Vendor statment from D-Link Systems Inc."},{"category":"other","text":"Please visit:\r\n\r\nhttps://kb.juniper.net/JSA72510\r\n \r\nCustomers are advised to immediately implement BGP error tolerance by way of:\r\n[ protocols bgp bgp-error-tolerance ... ]\r\n\r\nAdditional details can be found at https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/topic-map/bgp-error-messages.html\r\n\r\nJuniper considers configuring this option to be a Best Common Practice (BCP) as it not only prevents this issue from happening, but protects against similar issues as well.","title":"Vendor statment from Juniper Networks"},{"category":"other","text":"https://security.paloaltonetworks.com/CVE-2023-38802","title":"Vendor statment from Palo Alto Networks"},{"category":"other","text":"F5 BIG-IP products are affected thru vulnerable component ZebOS bgpd from IP Infusion. F5 published K000137315: ZebOS BGP vulnerability CVE-2023-45886, https://my.f5.com/manage/s/article/K000137315.  CVE-2023-45886 was requested by F5 from MITRE as IP Infusion is not a CNA.","title":"Vendor statment from F5 Networks"},{"category":"other","text":"No BGP support in AVM's home routers.","title":"Vendor statment from AVM GmbH"},{"category":"other","text":"No Brocade Fibre Channel Products from Broadcom is affected.","title":"Vendor statment from Brocade Communication Systems"},{"category":"other","text":"HardenedBSD does not ship with a BGP daemon in base. However, the ports tree does contain affected projects. Given the lack of BGP support in base, the HardenedBSD project is marked as unaffected.","title":"Vendor statment from HardenedBSD"},{"category":"other","text":"illumos has no BGP, and expects its users to pull from their distro or other sources.  illumos will advise distros to update their BGP IF they have one.","title":"Vendor statment from Illumos"},{"category":"other","text":"The FreeBSD Project does not include a BGP implementation with the base system.  However, users can install third-party BGP implementations from binary packages or the ports tree.  These may be affected.","title":"Vendor statment from FreeBSD"},{"category":"other","text":"Muonics has no products implementing BGP at this time.","title":"Vendor statment from Muonics Inc."},{"category":"other","text":"Intel is not impacted by this issue in either our products or company infrastructure.","title":"Vendor statment from Intel"},{"category":"other","text":"NetBSD doesn't come with any BGP software.\r\n\r\nSome third-party BGP software may be available in pkgsrc, like quagga, and that software may be affected.","title":"Vendor statment from NetBSD"},{"category":"other","text":"Extreme follows RFC 4271 and does not implement RFC 7606.  Since we perform as per our claimed RFC compliance, there is no vulnerability as the customer does not expect RFC 7606 behavior.  We do not view this as a vulnerability, but rather, an issue of RFC compliance.  There is no incorrect length handling issue.","title":"Vendor statment from Extreme Networks"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/347067"},{"url":"http://tools.ietf.org/html/rfc4271","summary":"http://tools.ietf.org/html/rfc4271"},{"url":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig","summary":"https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802","summary":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283","summary":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457","summary":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457"},{"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481","summary":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481"},{"url":"http://tools.ietf.org/html/rfc7606","summary":"http://tools.ietf.org/html/rfc7606"},{"url":"https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling","summary":"https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling"}],"title":"Multiple BGP implementations are vulnerable to improperly formatted BGP updates","tracking":{"current_release_date":"2024-12-20T13:55:28+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#347067","initial_release_date":"2023-09-12 16:36:10.200256+00:00","revision_history":[{"date":"2024-12-20T13:55:28+00:00","number":"1.20241220135528.4","summary":"Released on 2024-12-20T13:55:28+00:00"}],"status":"final","version":"1.20241220135528.4"}},"vulnerabilities":[{"title":"Incorrect length handling of path attributes in BGP packets can lead to a session reset.","notes":[{"category":"summary","text":"Incorrect length handling of path attributes in BGP packets can lead to a session reset."}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#347067"}],"product_status":{"known_affected":["CSAFPID-737535b6-37f6-11f1-8422-122e2785dc9f","CSAFPID-737580ac-37f6-11f1-8422-122e2785dc9f","CSAFPID-73773abe-37f6-11f1-8422-122e2785dc9f","CSAFPID-7377ca1a-37f6-11f1-8422-122e2785dc9f","CSAFPID-737a4a38-37f6-11f1-8422-122e2785dc9f","CSAFPID-737c10c0-37f6-11f1-8422-122e2785dc9f"],"known_not_affected":["CSAFPID-7374d4ae-37f6-11f1-8422-122e2785dc9f","CSAFPID-737606b2-37f6-11f1-8422-122e2785dc9f","CSAFPID-737645fa-37f6-11f1-8422-122e2785dc9f","CSAFPID-737679a8-37f6-11f1-8422-122e2785dc9f","CSAFPID-7376c368-37f6-11f1-8422-122e2785dc9f","CSAFPID-7376fc16-37f6-11f1-8422-122e2785dc9f","CSAFPID-73776c6e-37f6-11f1-8422-122e2785dc9f","CSAFPID-73779428-37f6-11f1-8422-122e2785dc9f","CSAFPID-7377fbd4-37f6-11f1-8422-122e2785dc9f","CSAFPID-73782352-37f6-11f1-8422-122e2785dc9f","CSAFPID-73785912-37f6-11f1-8422-122e2785dc9f","CSAFPID-73788ce8-37f6-11f1-8422-122e2785dc9f","CSAFPID-7378b4de-37f6-11f1-8422-122e2785dc9f","CSAFPID-737912a8-37f6-11f1-8422-122e2785dc9f","CSAFPID-73795a92-37f6-11f1-8422-122e2785dc9f","CSAFPID-7379a650-37f6-11f1-8422-122e2785dc9f","CSAFPID-7379ef0c-37f6-11f1-8422-122e2785dc9f","CSAFPID-737ae452-37f6-11f1-8422-122e2785dc9f","CSAFPID-737b2b9c-37f6-11f1-8422-122e2785dc9f","CSAFPID-737b5586-37f6-11f1-8422-122e2785dc9f","CSAFPID-737b93b6-37f6-11f1-8422-122e2785dc9f","CSAFPID-737bd7c2-37f6-11f1-8422-122e2785dc9f","CSAFPID-737c8a64-37f6-11f1-8422-122e2785dc9f","CSAFPID-737cc9f2-37f6-11f1-8422-122e2785dc9f","CSAFPID-737d0962-37f6-11f1-8422-122e2785dc9f","CSAFPID-737d66fa-37f6-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Wind River","product":{"name":"Wind River Products","product_id":"CSAFPID-7374d4ae-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"F5 Networks","product":{"name":"F5 Networks Products","product_id":"CSAFPID-737535b6-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Palo Alto Networks","product":{"name":"Palo Alto Networks Products","product_id":"CSAFPID-737580ac-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Joyent","product":{"name":"Joyent Products","product_id":"CSAFPID-7375c468-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"AVM GmbH","product":{"name":"AVM GmbH Products","product_id":"CSAFPID-737606b2-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Mitel Networks","product":{"name":"Mitel Networks Products","product_id":"CSAFPID-737645fa-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Brocade Communication Systems","product":{"name":"Brocade Communication Systems Products","product_id":"CSAFPID-737679a8-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"HardenedBSD","product":{"name":"HardenedBSD Products","product_id":"CSAFPID-7376c368-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Illumos","product":{"name":"Illumos Products","product_id":"CSAFPID-7376fc16-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Red Hat","product":{"name":"Red Hat Products","product_id":"CSAFPID-73773abe-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Arista Networks","product":{"name":"Arista Networks Products","product_id":"CSAFPID-73776c6e-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Untangle","product":{"name":"Untangle Products","product_id":"CSAFPID-73779428-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"D-Link Systems Inc.","product":{"name":"D-Link Systems Inc. Products","product_id":"CSAFPID-7377ca1a-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"TP-LINK","product":{"name":"TP-LINK Products","product_id":"CSAFPID-7377fbd4-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"lwIP","product":{"name":"lwIP Products","product_id":"CSAFPID-73782352-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Treck","product":{"name":"Treck Products","product_id":"CSAFPID-73785912-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Nozomi Networks","product":{"name":"Nozomi Networks Products","product_id":"CSAFPID-73788ce8-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"FreeBSD","product":{"name":"FreeBSD Products","product_id":"CSAFPID-7378b4de-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Muonics Inc.","product":{"name":"Muonics Inc. Products","product_id":"CSAFPID-737912a8-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Intel","product":{"name":"Intel Products","product_id":"CSAFPID-73795a92-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Fastly","product":{"name":"Fastly Products","product_id":"CSAFPID-7379a650-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetBSD","product":{"name":"NetBSD Products","product_id":"CSAFPID-7379ef0c-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Ubuntu","product":{"name":"Ubuntu Products","product_id":"CSAFPID-737a4a38-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"ADTRAN","product":{"name":"ADTRAN Products","product_id":"CSAFPID-737a8822-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Belden","product":{"name":"Belden Products","product_id":"CSAFPID-737ae452-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Aruba Networks","product":{"name":"Aruba Networks Products","product_id":"CSAFPID-737b2b9c-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Deutsche Telekom","product":{"name":"Deutsche Telekom Products","product_id":"CSAFPID-737b5586-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"NetComm Wireless Limited","product":{"name":"NetComm Wireless Limited Products","product_id":"CSAFPID-737b93b6-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Dell","product":{"name":"Dell Products","product_id":"CSAFPID-737bd7c2-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Juniper Networks","product":{"name":"Juniper Networks Products","product_id":"CSAFPID-737c10c0-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Ericsson","product":{"name":"Ericsson Products","product_id":"CSAFPID-737c5260-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Extreme Networks","product":{"name":"Extreme Networks Products","product_id":"CSAFPID-737c8a64-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Akamai Technologies Inc.","product":{"name":"Akamai Technologies Inc. Products","product_id":"CSAFPID-737cc9f2-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"Cisco","product":{"name":"Cisco Products","product_id":"CSAFPID-737d0962-37f6-11f1-8422-122e2785dc9f"}},{"category":"vendor","name":"MikroTik","product":{"name":"MikroTik Products","product_id":"CSAFPID-737d66fa-37f6-11f1-8422-122e2785dc9f"}}]}}