Vulnerability Note VU#929656
BGP implementations do not properly handle UPDATE messages
Overview
BGP implementations from multiple vendors including Juniper may not properly handle specially crafted BGP UPDATE messages. These vulnerabilities could allow an unauthenticated, remote attacker to cause a denial of service. Disrupting BGP communication could lead to routing instability.
Description
The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the internet. Multiple vendors BGP implementations do not properly handle specially crafted BGP UPDATE messages. A vulnerable BGP implementation could drop sessions when processing crafted UPDATE messages. A persistent attack could lead to routing instability (route flapping). To affect a BGP session, an attacker would need to succesfully inject a specially crafted packet into an existing BGP session or the underlying TCP session (179/tcp). In other words, the attacker would need to have a valid, configured BGP session or be able to spoof TCP traffic. This vulnerability was first announced as affecting Juniper routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the Systems Affected section below. |
Impact
A remote attacker could cause a denial of service by injecting a specially crafted BGP UPDATE message into a legitimate BGP session. An attacker with a configured BGP session could attack targets several BGP hops away, or an attacker could spoof TCP traffic. |
Solution
Upgrade |
|
Systems Affected (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
Avici Systems, Inc. | Affected | 13 Dec 2007 | 28 Apr 2008 |
Century Systems Inc. | Affected | - | 28 Apr 2008 |
Extreme Networks | Affected | 13 Dec 2007 | 08 Jun 2009 |
Hitachi | Affected | 13 Dec 2007 | 12 Aug 2008 |
Juniper Networks, Inc. | Affected | 16 Jan 2008 | 01 May 2008 |
NEC Corporation | Affected | - | 06 Jun 2008 |
Yamaha Corporation | Affected | - | 28 Apr 2008 |
ACCESS | Not Affected | - | 20 May 2008 |
Cisco Systems, Inc. | Not Affected | 13 Dec 2007 | 06 May 2008 |
Force10 Networks, Inc. | Not Affected | 13 Dec 2007 | 22 Feb 2008 |
Foundry Networks, Inc. | Not Affected | 13 Dec 2007 | 28 Apr 2008 |
Fujitsu | Not Affected | - | 28 Apr 2008 |
GNU Zebra | Not Affected | - | 20 May 2008 |
IP Infusion, Inc. | Not Affected | 22 Feb 2008 | 20 May 2008 |
Network Appliance, Inc. | Not Affected | 13 Dec 2007 | 14 Dec 2007 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | N/A | N/A |
Temporal | N/A | N/A |
Environmental | N/A | N/A |
References
- http://www.kb.cert.org/vuls/id/415294
- http://tools.ietf.org/html/rfc4271
- http://www.iana.org/assignments/bgp-parameters
- http://tools.ietf.org/html/rfc2385
- http://tools.ietf.org/html/rfc2439
- http://secunia.com/advisories/28100/
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6372
- https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view
- http://isc.sans.org/diary.php?storyid=3748
- https://puck.nether.net/pipermail/juniper-nsp/2007-December/009294.html
- https://puck.nether.net/pipermail/juniper-nsp/2007-December/009299.html
- http://jvn.jp/cert/JVNVU929656/index.html
- http://osvdb.org/show/osvdb/39157
- http://www.securityfocus.com/bid/26869
- http://www.frsirt.com/english/advisories/2007/4223
- http://securitytracker.com/alerts/2007/Dec/1019100.html
- http://www.team-cymru.org/?sec=13&opt=28
- http://secunia.com/advisories/30028/
Credit
Thanks to members of the Juniper Security Incident Response Team for help in preparing this document.
This document was written by Art Manion.
Other Information
- CVE IDs: CVE-2007-6372
- Date Public: 12 Dec 2007
- Date First Published: 06 May 2008
- Date Last Updated: 09 Jun 2009
- Severity Metric: 24.49
- Document Revision: 57
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.