search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Multiple BGP implementations are vulnerable to improperly formatted BGP updates

Vulnerability Note VU#347067

Original Release Date: 2023-09-12 | Last Revised: 2024-12-20

Overview

Multiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router.

This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. RFC 7606 Introduction

Description

The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in RFC 7606 Revised Error Handling for BGP UPDATE Messages in 2015.

Recent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).

This vulnerability was first announced as affecting OpenBSD based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the Systems Affected section below. Here are the CVE IDs that were reserved by the reporter for different vendors that were tested:

Impact

A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.

Solution

The CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:

(Juniper)
set protocols bgp bgp-error-tolerance

(Nokia)
[router bgp group]
error-handling update-fault-tolerance

Acknowledgements

Thanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.

Vendor Information

347067
 

D-Link Systems Inc. Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 31, 2023

VU#347067.1 Affected

Vendor Statement

23-0731 D-Link US SIRT :: security@dlink.com

For owners of D-Link SKUs the affected model list with fixes under development:

  1. DGS-3630 Series
  2. DXS-3610 Series
  3. DWM-3010 Hardware Revision A1 & A2
  4. DWM-321 Hardware Revision A2

NOT affected models that associate with affected solutions: 5. DXS-3400 All Hardware revision not affected

Model affected, however have work-around to avoid issue 6. DXS-5000 Hardware Revision A1 7. DQS-5000 Hardware Revision A1 Workaround temporally solution :

a) Provide filter or restricted settings for attributes in BGP UPDATE
b) filter-list : filter-list as-path-list-number {in | out} / no filter-list as-path-list-number {in | out}
c) neighbor filter-list: neighbor {ipv4-address | ipv6-address} filter-list as-path-list-number {in | out} / no neighbor {ipv4-address |                     ipv6-address} filter-list as-path-list-number {in | out}
d) bgp maxas-limit:  bgp maxas-limit number / no bgp maxas-limit
e) timers policy-apply delay, timers policy-apply delay delay / no timers policy-apply delay

F5 Networks Affected

Notified:  2023-07-12 Updated: 2023-11-16

Statement Date:   November 16, 2023

VU#347067.1 Affected

Vendor Statement

F5 BIG-IP products are affected thru vulnerable component ZebOS bgpd from IP Infusion. F5 published K000137315: ZebOS BGP vulnerability CVE-2023-45886, https://my.f5.com/manage/s/article/K000137315. CVE-2023-45886 was requested by F5 from MITRE as IP Infusion is not a CNA.

Juniper Networks Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 29, 2023

VU#347067.1 Affected

Vendor Statement

Please visit:

https://kb.juniper.net/JSA72510

Customers are advised to immediately implement BGP error tolerance by way of: [ protocols bgp bgp-error-tolerance ... ]

Additional details can be found at https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/topic-map/bgp-error-messages.html

Juniper considers configuring this option to be a Best Common Practice (BCP) as it not only prevents this issue from happening, but protects against similar issues as well.

Palo Alto Networks Affected

Notified:  2023-07-12 Updated: 2023-09-15

Statement Date:   September 14, 2023

VU#347067.1 Affected

Vendor Statement

https://security.paloaltonetworks.com/CVE-2023-38802

Red Hat Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Affected

Vendor Statement

Red Hat Enterprise Linux is affected because the affected package (frr) is shipped on RHEL.

Systems not running frr as a BGP router are not vulnerable to this CVE.

Ubuntu Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 19, 2023

VU#347067.1 Affected

Vendor Statement

We have not received a statement from the vendor.

Akamai Technologies Inc. Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 28, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Arista Networks Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Aruba Networks Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 02, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

AVM GmbH Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Not Affected

Vendor Statement

No BGP support in AVM's home routers.

Belden Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 01, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Brocade Communication Systems Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Not Affected

Vendor Statement

No Brocade Fibre Channel Products from Broadcom is affected.

Cisco Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 30, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Dell Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 28, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Deutsche Telekom Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 07, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Extreme Networks Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 28, 2023

VU#347067.1 Not Affected

Vendor Statement

Extreme follows RFC 4271 and does not implement RFC 7606. Since we perform as per our claimed RFC compliance, there is no vulnerability as the customer does not expect RFC 7606 behavior. We do not view this as a vulnerability, but rather, an issue of RFC compliance. There is no incorrect length handling issue.

Fastly Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 18, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

FreeBSD Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 18, 2023

VU#347067.1 Not Affected

Vendor Statement

The FreeBSD Project does not include a BGP implementation with the base system. However, users can install third-party BGP implementations from binary packages or the ports tree. These may be affected.

HardenedBSD Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Not Affected

Vendor Statement

HardenedBSD does not ship with a BGP daemon in base. However, the ports tree does contain affected projects. Given the lack of BGP support in base, the HardenedBSD project is marked as unaffected.

Illumos Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Not Affected

Vendor Statement

illumos has no BGP, and expects its users to pull from their distro or other sources. illumos will advise distros to update their BGP IF they have one.

Intel Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 17, 2023

VU#347067.1 Not Affected

Vendor Statement

Intel is not impacted by this issue in either our products or company infrastructure.

lwIP Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 13, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

MikroTik Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   September 01, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Mitel Networks Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Muonics Inc. Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 17, 2023

VU#347067.1 Not Affected

Vendor Statement

Muonics has no products implementing BGP at this time.

NetBSD Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 18, 2023

VU#347067.1 Not Affected

Vendor Statement

NetBSD doesn't come with any BGP software.

Some third-party BGP software may be available in pkgsrc, like quagga, and that software may be affected.

NetComm Wireless Limited Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 22, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Nozomi Networks Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 13, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

TP-LINK Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 14, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Treck Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 13, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Untangle Not Affected

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

Wind River Not Affected

Notified:  2023-07-12 Updated: 2024-12-20

Statement Date:   December 18, 2024

VU#347067.1 Not Affected

Vendor Statement

We have not received a statement from the vendor.

A10 Networks Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Actiontec Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

ADTRAN Unknown

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 21, 2023

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Alcatel-Lucent Enterprise Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Allied Telesis Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Amazon Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

American Megatrends Incorporated (AMI) Unknown

Notified:  2023-08-31 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Arcadyan Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

ARRIS Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

AT&T Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Avaya Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Barracuda Networks Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

BlackBerry Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Blackberry QNX Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Broadcom Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Buffalo Technology Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cambium Networks Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

CA Technologies Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Check Point Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Comcast Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Commscope Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Contiki OS Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Cradlepoint Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

dd-wrt Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ericsson Unknown

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   August 29, 2023

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Fortinet Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

F-Secure Corporation Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Google Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Green Hills Software Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

HCC Embedded Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Hewlett Packard Enterprise Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

HP Inc. Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

HTC Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Huawei Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

IBM Corporation (zseries) Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Infoblox Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Internet Initiative Japan Inc. Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Internet Systems Consortium Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

IP Infusion Inc. Unknown

Notified:  2023-08-04 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Joyent Unknown

Notified:  2023-07-12 Updated: 2023-09-12

Statement Date:   July 12, 2023

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

LANCOM Systems GmbH Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Lenovo Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

LiteSpeed Technologies Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

McAfee Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

MediaTek Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Medtronic Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Microsoft Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Miredo Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Motorola Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

National Cyber Security Center Netherlands Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

National Cyber Security Centre Finland Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

NEC Corporation Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

NETGEAR Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

NETSCOUT Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

NLnet Labs Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Nokia Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

OpenWRT Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

pfSense Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Quagga Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Qualcomm Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ruckus Wireless Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

SUSE Linux Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Synology Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Tizen Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Turbolinux Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Ubiquiti Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Vantiva Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

VMware Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xiaomi Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

XigmaNAS Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Xilinx Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

ZTE Corporation Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

Zyxel Unknown

Notified:  2023-07-12 Updated: 2023-09-12

VU#347067.1 Unknown

Vendor Statement

We have not received a statement from the vendor.

View all 106 vendors View less vendors


Other Information

API URL: VINCE JSON | CSAF
Date Public: 2023-09-12
Date First Published: 2023-09-12
Date Last Updated: 2024-12-20 13:55 UTC
Document Revision: 4

Sponsored by CISA.