SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#784540

BGP implementations do not adequately handle malformed BGP OPEN and UPDATE messages

Overview

Multiple implementations of the Border Gateway Protocol (BGP) contain vulnerabilities related to the processing of UPDATE and OPEN messages. The impacts of these vulnerabilities appear to be limited to denial of service.

I. Description

BGP (RFC 1771) is designed to exchange network reachability information between peer nodes. Information advertised by a BGP system to its peers includes timers, metrics, and paths to different Autonomous System (AS) networks. Routing between AS networks depends on BGP, and the Internet is a network of AS networks. Therefore, vulnerabilities in BGP have the potential to affect the Internet infrastructure.

Multiple BGP implementations contain vulnerabilities handling exceptional OPEN and UPDATE messages. While the details of the individual vulnerabilities are different, the impacts appear to be limited to denial of service. In addition, most BGP implementations do not accept messages from arbitrary sources. Some BGP implementations only accept TCP connections (179/tcp) from properly configured peers, and some implementations require a valid AS number in the BGP message data. To deliver malicious messages to such systems, an attacker would need to spoof a TCP connection or have access to a trusted BGP peer. The attacker may also need to know a valid AS number.

For information about specific BGP implementations, please see the Systems Affected section below.

II. Impact

A remote attacker can cause a denial of service in a vulnerable system. In most cases, the attacker would need to act as a valid BGP peer. BGP session instability can result in "flapping" and other routing problems that may adversely affect Internet traffic.

III. Solution

Apply a patch or upgrade

Apply a patch or upgrade as specified by your vendor.

Restrict BGP access

Using access control lists (ACLs) and BGP configuration settings, restrict access to valid networks and BGP peers.

Authenticate BGP messages

TCP MD5 (RFC 2385), IPsec, and S-BGP provide cryptographic authentication of network connections and/or BGP messages. Various performance and key distribution issues are associated with these authentication methods.

Use out-of-band management channels

When possible, use an out-of-band channel, such as a separate network, to transmit BGP other management traffic.

Systems Affected

VendorStatusDate NotifiedDate Updated
3ComUnknown22-Jun-2004
AlcatelUnknown22-Jun-2004
Apple Computer Inc.Not Vulnerable16-Jun-2004
AT&TUnknown16-Jun-2004
AvayaUnknown16-Jun-2004
Avici Systems Inc.Not Vulnerable23-Jun-2004
Charlotte's Web NetworksUnknown16-Jun-2004
Check PointNot Vulnerable16-Jun-2004
Chiaro NetworksNot Vulnerable3-Jun-2004
Cisco Systems Inc.Vulnerable16-Jun-2004
ConectivaUnknown16-Jun-2004
Cray Inc.Unknown16-Jun-2004
D-Link SystemsUnknown16-Jun-2004
Data ConnectionUnknown16-Jun-2004
DebianUnknown16-Jun-2004
EMC CorporationUnknown16-Jun-2004
Extreme NetworksVulnerable16-Jun-2004
F5 NetworksUnknown16-Jun-2004
Foundry Networks Inc.Unknown21-Jun-2004
FreeBSDUnknown16-Jun-2004
FujitsuUnknown16-Jun-2004
Guardian Digital Inc. Unknown16-Jun-2004
Hewlett-Packard CompanyUnknown16-Jun-2004
HitachiUnknown16-Jun-2004
HyperchipUnknown8-Jun-2004
IBMUnknown17-Jun-2004
Ingrian NetworksUnknown16-Jun-2004
IntelUnknown16-Jun-2004
Juniper NetworksNot Vulnerable16-Jun-2004
Lucent TechnologiesUnknown16-Jun-2004
MandrakeSoftUnknown16-Jun-2004
MontaVista SoftwareUnknown16-Jun-2004
Multi-Tech Systems Inc.Unknown16-Jun-2004
NEC CorporationUnknown16-Jun-2004
NetScreenUnknown16-Jun-2004
Network ApplianceNot Vulnerable28-Jun-2004
NextHopNot Vulnerable23-Jun-2004
NokiaUnknown16-Jun-2004
Nortel NetworksUnknown16-Jun-2004
NovellUnknown16-Jun-2004
Openwall GNU/*/LinuxUnknown16-Jun-2004
Red Hat Inc.Unknown16-Jun-2004
Redback Networks Inc.Vulnerable21-Jun-2004
Riverstone NetworksNot Vulnerable21-Jun-2004
SCOUnknown16-Jun-2004
SGIUnknown16-Jun-2004
Sony CorporationUnknown16-Jun-2004
Sun Microsystems Inc.Unknown16-Jun-2004
SuSE Inc.Unknown16-Jun-2004
TurboLinuxUnknown17-Jun-2004
UnisysUnknown22-Jun-2004
Wind River Systems Inc.Unknown16-Jun-2004
ZyXELUnknown16-Jun-2004

References


http://www.ietf.org/rfc/rfc1771.txt
http://www.ietf.org/internet-drafts/draft-ietf-idr-bgp4-experience-protocol-04.txt
http://www.ietf.org/rfc/rfc2385.txt
http://www.net-tech.bbn.com/sbgp/draft-clynn-s-bgp-protocol-01.txt
http://www.nanog.org/mtg-0306/pdf/franz.pdf
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml

Credit

These vulnerabilities were reported as a result of research done by Cisco. Thanks to Cisco for sharing this research and helping to coordinate the disclosure of information about these vulnerabilities.

This document was written by Art Manion.

Other Information

Date Public:2004-06-16
Date First Published:2004-06-16
Date Last Updated:2004-06-28
CERT Advisory: 
CVE-ID(s):CAN-2004-0589
NVD-ID(s):CAN-2004-0589
US-CERT Technical Alerts: 
Metric:8.60
Document Revision:39

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader