Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0454 -- [UNIX/Linux][Appliance]
Multiple vendors' BGP implementations do not properly handle
UPDATE messages
2 May 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BGP
Publisher: US-CERT
Operating System: UNIX variants (UNIX, Linux)
Network Appliance
Impact: Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2007-6372
Original Bulletin: http://www.kb.cert.org/vuls/id/929656
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#929656
Multiple vendors' BGP implementations do not properly handle UPDATE messages
Overview
BGP implementations from multiple vendors including Juniper may not properly
handle specially crafted BGP UPDATE messages. These vulnerabilities could allow
an unauthenticated, remote attacker to cause a denial of service. Disrupting BGP
communication could lead to routing instability.
I. Description
The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous
System routing protocol. BGP communication among peer routers is critical to the
stable operation of the internet.
Multiple vendors BGP implementations do not properly handle specially crafted
BGP UPDATE messages. A vulnerable BGP implementation could drop sessions when
processing a crafted UPDATE message, which could lead to routing instability
(route flapping). To affect a legitimate BGP session, an attacker would need
to succesfully inject a specially crafted packet into the underlying TCP session.
This vulnerability was first announced as affecting Juniper routers. Further
investigation indicates that other vendors are affected by the same or similar
issues. Please see the Systems Affected section below.
II. Impact
A remote, unauthenticated attacker could cause a denial of service by injecting
a specially crafted BGP message into a legitimate BGP session with a vulnerable
router.
III. Solution
Upgrade
Upgrade your BGP software as appropriate. Please see the Systems Affected
section below for information about specific vendors.
In order to send a specially crafted BGP UPDATE message, an attacker must have
or spoof a valid BGP connection (179/tcp).
Authenticate BGP Traffic
Use TCP MD5 to authenticate BGP traffic (RFC 2385). Only allow BGP traffic from
authorized peers.
Restrict BGP Access
Restrict BGP network access to authorized peers. If possible, run BGP on
management networks, not transit networks. More information about BGP
security (including secure BGP configuration templates) is available from the
Team Cymru Reading Room.
Systems Affected
Vendor Status Date Updated
3com, Inc. Unknown 13-Dec-2007
ACCESS Not Vulnerable 1-May-2008
Alcatel Unknown 13-Dec-2007
AT&T Unknown 13-Dec-2007
Avaya, Inc. Unknown 13-Dec-2007
Avici Systems, Inc. Vulnerable 28-Apr-2008
Century Systems Inc. Vulnerable 28-Apr-2008
Charlotte's Web Networks Unknown 13-Dec-2007
Check Point Software
Technologies Unknown 13-Dec-2007
Cisco Systems, Inc. Unknown 13-Dec-2007
D-Link Systems, Inc. Unknown 13-Dec-2007
Data Connection, Ltd. Unknown 13-Dec-2007
Extreme Networks Unknown 13-Dec-2007
F5 Networks, Inc. Unknown 13-Dec-2007
Force10 Networks, Inc. Not Vulnerable 22-Feb-2008
Foundry Networks, Inc. Not Vulnerable 28-Apr-2008
Fujitsu Not Vulnerable 28-Apr-2008
GNU Zebra Unknown 1-May-2008
Hitachi Vulnerable 28-Apr-2008
Hyperchip Unknown 13-Dec-2007
IBM Corporation Unknown 13-Dec-2007
Ingrian Networks, Inc. Unknown 13-Dec-2007
Intel Corporation Unknown 8-Apr-2008
IP Infusion, Inc. Unknown 1-May-2008
Juniper Networks, Inc. Vulnerable 1-May-2008
Lucent Technologies Unknown 13-Dec-2007
Luminous Networks Unknown 13-Dec-2007
Multinet (owned Process
Software Corporation) Unknown 13-Dec-2007
Multitech, Inc. Unknown 13-Dec-2007
Network Appliance, Inc. Not Vulnerable 14-Dec-2007
NextHop
Technologies,Inc. Unknown 13-Dec-2007
Nokia Unknown 8-Apr-2008
Nortel Networks, Inc. Unknown 13-Dec-2007
OpenBSD Unknown 22-Feb-2008
Quagga Not Vulnerable 28-Apr-2008
Redback Networks, Inc. Unknown 13-Dec-2007
Riverstone Networks, Inc. Unknown 13-Dec-2007
Sun Microsystems, Inc. Not Vulnerable 28-Apr-2008
Wind River Systems, Inc. Unknown 13-Dec-2007
Yamaha Corporation Vulnerable 28-Apr-2008
ZyXEL Unknown 13-Dec-2007
References
http://www.kb.cert.org/vuls/id/415294
http://tools.ietf.org/html/rfc1771
http://tools.ietf.org/html/rfc4271
http://tools.ietf.org/html/rfc2385
http://tools.ietf.org/html/rfc2439
http://secunia.com/advisories/28100/
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6372
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view
http://isc.sans.org/diary.php?storyid=3748
https://puck.nether.net/pipermail/juniper-nsp/2007-December/009294.html
https://puck.nether.net/pipermail/juniper-nsp/2007-December/009299.html
http://osvdb.org/show/osvdb/39157
http://www.securityfocus.com/bid/26869
http://www.frsirt.com/english/advisories/2007/4223
http://securitytracker.com/alerts/2007/Dec/1019100.html
http://www.team-cymru.org/?sec=13&opt=28
Credit
This document was written by Art Manion.
Other Information
Date Public 12/12/2007
Date First Published 01/05/2008 00:47:32
Date Last Updated 01/05/2008
CERT Advisory
CVE Name CVE-2007-6372
US-CERT Technical Alerts
Metric 24.49
Document Revision 33
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSBpRtCh9+71yA2DNAQKkPgQAj6ovLKXB9axVM8OQ2kwdST/zYGppm2LV
3Z9gWPUWo0z0ZvOet/nWqKa7j/ZQczC27hyvgaTv65+YjVKURH3Z1Toq42aLACxo
46W0SoCGHKKebyaLL2u991R6lp/WB3NOjkP0EYWOPDbQzKjDhC29tcEO9xqOL0nT
jUl7cfvfbpo=
=dcPm
-----END PGP SIGNATURE-----