Vulnerability Note VU#784540

BGP implementations do not adequately handle malformed BGP OPEN and UPDATE messages

Original Release date: 16 Jun 2004 | Last revised: 28 Jun 2004

Overview

Multiple implementations of the Border Gateway Protocol (BGP) contain vulnerabilities related to the processing of UPDATE and OPEN messages. The impacts of these vulnerabilities appear to be limited to denial of service.

Description

BGP (RFC 1771) is designed to exchange network reachability information between peer nodes. Information advertised by a BGP system to its peers includes timers, metrics, and paths to different Autonomous System (AS) networks. Routing between AS networks depends on BGP, and the Internet is a network of AS networks. Therefore, vulnerabilities in BGP have the potential to affect the Internet infrastructure.

Multiple BGP implementations contain vulnerabilities handling exceptional OPEN and UPDATE messages. While the details of the individual vulnerabilities are different, the impacts appear to be limited to denial of service. In addition, most BGP implementations do not accept messages from arbitrary sources. Some BGP implementations only accept TCP connections (179/tcp) from properly configured peers, and some implementations require a valid AS number in the BGP message data. To deliver malicious messages to such systems, an attacker would need to spoof a TCP connection or have access to a trusted BGP peer. The attacker may also need to know a valid AS number.

For information about specific BGP implementations, please see the Systems Affected section below.

Impact

A remote attacker can cause a denial of service in a vulnerable system. In most cases, the attacker would need to act as a valid BGP peer. BGP session instability can result in "flapping" and other routing problems that may adversely affect Internet traffic.

Solution

Apply a patch or upgrade
Apply a patch or upgrade as specified by your vendor.


Restrict BGP access

Using access control lists (ACLs) and BGP configuration settings, restrict access to valid networks and BGP peers.

Authenticate BGP messages

TCP MD5 (RFC 2385), IPsec, and S-BGP provide cryptographic authentication of network connections and/or BGP messages. Various performance and key distribution issues are associated with these authentication methods.

Use out-of-band management channels

When possible, use an out-of-band channel, such as a separate network, to transmit BGP other management traffic.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Cisco Systems Inc.Affected-16 Jun 2004
Extreme NetworksAffected-16 Jun 2004
Redback Networks Inc.Affected07 May 200421 Jun 2004
Apple Computer Inc.Not Affected15 Jun 200416 Jun 2004
Avici Systems Inc.Not Affected06 May 200423 Jun 2004
Check PointNot Affected-16 Jun 2004
Chiaro NetworksNot Affected-03 Jun 2004
Juniper NetworksNot Affected07 May 200416 Jun 2004
Network ApplianceNot Affected07 May 200428 Jun 2004
NextHopNot Affected08 Jun 200423 Jun 2004
Riverstone NetworksNot Affected07 May 200421 Jun 2004
3ComUnknown06 May 200422 Jun 2004
AlcatelUnknown06 May 200422 Jun 2004
AT&TUnknown-16 Jun 2004
AvayaUnknown-16 Jun 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

These vulnerabilities were reported as a result of research done by Cisco. Thanks to Cisco for sharing this research and helping to coordinate the disclosure of information about these vulnerabilities.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2004-0589
  • Date Public: 16 Jun 2004
  • Date First Published: 16 Jun 2004
  • Date Last Updated: 28 Jun 2004
  • Severity Metric: 8.60
  • Document Revision: 39

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.