Overview
Multiple BGP implementations have been identified as vulnerable to specially crafted Path Attributes of a BGP UPDATE. Instead of ignoring invalid updates they reset the underlying TCP connection for the BGP session and de-peer the router.
This is undesirable because a session reset impacts not only routes with the BGP UPDATE but also the other valid routes exchanged over the session. RFC 7606 Introduction
Description
The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the Internet. A number of known BGP security issues were addressed in RFC 7606 Revised Error Handling for BGP UPDATE Messages in 2015.
Recent reports indicate that multiple BGP implementations do not properly handle specially crafted Path Attributes in the BGP UPDATE messages. An attacker with a valid, configured BGP session could inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping).
This vulnerability was first announced as affecting OpenBSD based routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the Systems Affected section below. Here are the CVE IDs that were reserved by the reporter for different vendors that were tested:
- CVE-2023-4481 (Juniper)
- CVE-2023-38802 (FRR)
- CVE-2023-38283 (OpenBGPd)
- CVE-2023-40457 (EXOS)
Impact
A remote attacker could publish a BGP UPDATE with a crafted set of Path Attributes, causing vulnerable routers to de-peer from any link from which such an update were received. Unaffected routers might also pass the crafted updates across the network, potentially leading to the update arriving at an affected router from multiple sources, causing multiple links to fail.
Solution
The CERT/CC is currently unaware of a practical solutions for every vendor but some of the vendors allow you to change the response to errors in BGP path updates. Networks using appliances from Juniper and Nokia can mitigate this behavior by enabling:
(Juniper)
set protocols bgp bgp-error-tolerance
(Nokia)
[router bgp group]
error-handling update-fault-tolerance
Acknowledgements
Thanks to the reporter Ben Cartwright-Cox. This document was written by Timur Snoke.
Vendor Information
D-Link Systems Inc. Affected
Statement Date: July 31, 2023
VU#347067.1 | Affected |
Vendor Statement
23-0731 D-Link US SIRT :: security@dlink.com
For owners of D-Link SKUs the affected model list with fixes under development:
- DGS-3630 Series
- DXS-3610 Series
- DWM-3010 Hardware Revision A1 & A2
- DWM-321 Hardware Revision A2
NOT affected models that associate with affected solutions: 5. DXS-3400 All Hardware revision not affected
Model affected, however have work-around to avoid issue 6. DXS-5000 Hardware Revision A1 7. DQS-5000 Hardware Revision A1 Workaround temporally solution :
a) Provide filter or restricted settings for attributes in BGP UPDATE
b) filter-list : filter-list as-path-list-number {in | out} / no filter-list as-path-list-number {in | out}
c) neighbor filter-list: neighbor {ipv4-address | ipv6-address} filter-list as-path-list-number {in | out} / no neighbor {ipv4-address | ipv6-address} filter-list as-path-list-number {in | out}
d) bgp maxas-limit: bgp maxas-limit number / no bgp maxas-limit
e) timers policy-apply delay, timers policy-apply delay delay / no timers policy-apply delay
F5 Networks Affected
Statement Date: November 16, 2023
VU#347067.1 | Affected |
Vendor Statement
F5 BIG-IP products are affected thru vulnerable component ZebOS bgpd from IP Infusion. F5 published K000137315: ZebOS BGP vulnerability CVE-2023-45886, https://my.f5.com/manage/s/article/K000137315. CVE-2023-45886 was requested by F5 from MITRE as IP Infusion is not a CNA.
Juniper Networks Affected
Statement Date: August 29, 2023
VU#347067.1 | Affected |
Vendor Statement
Please visit:
https://kb.juniper.net/JSA72510
Customers are advised to immediately implement BGP error tolerance by way of: [ protocols bgp bgp-error-tolerance ... ]
Additional details can be found at https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/topic-map/bgp-error-messages.html
Juniper considers configuring this option to be a Best Common Practice (BCP) as it not only prevents this issue from happening, but protects against similar issues as well.
Palo Alto Networks Affected
Statement Date: September 14, 2023
VU#347067.1 | Affected |
Vendor Statement
https://security.paloaltonetworks.com/CVE-2023-38802
Red Hat Affected
Statement Date: July 12, 2023
VU#347067.1 | Affected |
Vendor Statement
Red Hat Enterprise Linux is affected because the affected package (frr) is shipped on RHEL.
Systems not running frr as a BGP router are not vulnerable to this CVE.
Ubuntu Affected
Statement Date: July 19, 2023
VU#347067.1 | Affected |
Vendor Statement
We have not received a statement from the vendor.
Akamai Technologies Inc. Not Affected
Statement Date: August 28, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Arista Networks Not Affected
Statement Date: July 12, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Aruba Networks Not Affected
Statement Date: August 02, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
AVM GmbH Not Affected
Statement Date: July 12, 2023
VU#347067.1 | Not Affected |
Vendor Statement
No BGP support in AVM's home routers.
Belden Not Affected
Statement Date: August 01, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Brocade Communication Systems Not Affected
Statement Date: July 12, 2023
VU#347067.1 | Not Affected |
Vendor Statement
No Brocade Fibre Channel Products from Broadcom is affected.
Cisco Not Affected
Statement Date: August 30, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Dell Not Affected
Statement Date: August 28, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Deutsche Telekom Not Affected
Statement Date: August 07, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Extreme Networks Not Affected
Statement Date: August 28, 2023
VU#347067.1 | Not Affected |
Vendor Statement
Extreme follows RFC 4271 and does not implement RFC 7606. Since we perform as per our claimed RFC compliance, there is no vulnerability as the customer does not expect RFC 7606 behavior. We do not view this as a vulnerability, but rather, an issue of RFC compliance. There is no incorrect length handling issue.
Fastly Not Affected
Statement Date: July 18, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
FreeBSD Not Affected
Statement Date: July 18, 2023
VU#347067.1 | Not Affected |
Vendor Statement
The FreeBSD Project does not include a BGP implementation with the base system. However, users can install third-party BGP implementations from binary packages or the ports tree. These may be affected.
HardenedBSD Not Affected
Statement Date: July 12, 2023
VU#347067.1 | Not Affected |
Vendor Statement
HardenedBSD does not ship with a BGP daemon in base. However, the ports tree does contain affected projects. Given the lack of BGP support in base, the HardenedBSD project is marked as unaffected.
Illumos Not Affected
Statement Date: July 12, 2023
VU#347067.1 | Not Affected |
Vendor Statement
illumos has no BGP, and expects its users to pull from their distro or other sources. illumos will advise distros to update their BGP IF they have one.
Intel Not Affected
Statement Date: July 17, 2023
VU#347067.1 | Not Affected |
Vendor Statement
Intel is not impacted by this issue in either our products or company infrastructure.
lwIP Not Affected
Statement Date: July 13, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
MikroTik Not Affected
Statement Date: September 01, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Mitel Networks Not Affected
Statement Date: July 12, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Muonics Inc. Not Affected
Statement Date: July 17, 2023
VU#347067.1 | Not Affected |
Vendor Statement
Muonics has no products implementing BGP at this time.
NetBSD Not Affected
Statement Date: July 18, 2023
VU#347067.1 | Not Affected |
Vendor Statement
NetBSD doesn't come with any BGP software.
Some third-party BGP software may be available in pkgsrc, like quagga, and that software may be affected.
NetComm Wireless Limited Not Affected
Statement Date: August 22, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Nozomi Networks Not Affected
Statement Date: July 13, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
TP-LINK Not Affected
Statement Date: July 14, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Treck Not Affected
Statement Date: July 13, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Untangle Not Affected
Statement Date: July 12, 2023
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
Wind River Not Affected
Statement Date: December 18, 2024
VU#347067.1 | Not Affected |
Vendor Statement
We have not received a statement from the vendor.
A10 Networks Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Actiontec Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ADTRAN Unknown
Statement Date: July 21, 2023
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Alcatel-Lucent Enterprise Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Allied Telesis Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Amazon Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
American Megatrends Incorporated (AMI) Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Arcadyan Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ARRIS Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
AT&T Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Avaya Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Barracuda Networks Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
BlackBerry Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Blackberry QNX Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Broadcom Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Buffalo Technology Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cambium Networks Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
CA Technologies Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Check Point Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Comcast Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Commscope Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Contiki OS Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Cradlepoint Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
dd-wrt Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ericsson Unknown
Statement Date: August 29, 2023
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Fortinet Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
F-Secure Corporation Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Google Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Green Hills Software Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HCC Embedded Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Hewlett Packard Enterprise Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HP Inc. Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
HTC Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Huawei Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IBM Corporation (zseries) Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Infoblox Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Internet Initiative Japan Inc. Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Internet Systems Consortium Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
IP Infusion Inc. Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Joyent Unknown
Statement Date: July 12, 2023
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
LANCOM Systems GmbH Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Lenovo Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
LiteSpeed Technologies Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
McAfee Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
MediaTek Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Medtronic Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Microsoft Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Miredo Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Motorola Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
National Cyber Security Center Netherlands Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
National Cyber Security Centre Finland Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NEC Corporation Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NETGEAR Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NETSCOUT Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
NLnet Labs Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Nokia Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
OpenWRT Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
pfSense Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Quagga Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Qualcomm Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ruckus Wireless Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
SUSE Linux Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Synology Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Tizen Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Turbolinux Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Ubiquiti Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Vantiva Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
VMware Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xiaomi Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
XigmaNAS Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Xilinx Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
ZTE Corporation Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
Zyxel Unknown
VU#347067.1 | Unknown |
Vendor Statement
We have not received a statement from the vendor.
References
- http://tools.ietf.org/html/rfc4271
- https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38802
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38283
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40457
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4481
- http://tools.ietf.org/html/rfc7606
- https://github.com/FRRouting/frr/pull/14290
- https://kb.juniper.net/JSA72510
- https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
Other Information
API URL: | VINCE JSON | CSAF |
Date Public: | 2023-09-12 |
Date First Published: | 2023-09-12 |
Date Last Updated: | 2024-12-20 13:55 UTC |
Document Revision: | 4 |