-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                 ESB-2008.0454 -- [UNIX/Linux][Appliance]
       Multiple vendors' BGP implementations do not properly handle
                              UPDATE messages
                                2 May 2008

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              BGP
Publisher:            US-CERT
Operating System:     UNIX variants (UNIX, Linux)
                      Network Appliance
Impact:               Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-6372

Original Bulletin:    http://www.kb.cert.org/vuls/id/929656

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#929656

Multiple vendors' BGP implementations do not properly handle UPDATE messages

Overview

BGP implementations from multiple vendors including Juniper may not properly 
handle specially crafted BGP UPDATE messages. These vulnerabilities could allow
an unauthenticated, remote attacker to cause a denial of service. Disrupting BGP
communication could lead to routing instability.


I. Description

The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous 
System routing protocol. BGP communication among peer routers is critical to the
stable operation of the internet.

Multiple vendors BGP implementations do not properly handle specially crafted 
BGP UPDATE messages. A vulnerable BGP implementation could drop sessions when 
processing a crafted UPDATE message, which could lead to routing instability 
(route flapping). To affect a legitimate BGP session, an attacker would need 
to succesfully inject a specially crafted packet into the underlying TCP session.

This vulnerability was first announced as affecting Juniper routers. Further 
investigation indicates that other vendors are affected by the same or similar 
issues. Please see the Systems Affected section below.


II. Impact
A remote, unauthenticated attacker could cause a denial of service by injecting 
a specially crafted BGP message into a legitimate BGP session with a vulnerable 
router.


III. Solution

Upgrade

Upgrade your BGP software as appropriate. Please see the Systems Affected 
section below for information about specific vendors.
In order to send a specially crafted BGP UPDATE message, an attacker must have
or spoof a valid BGP connection (179/tcp).

Authenticate BGP Traffic

Use TCP MD5 to authenticate BGP traffic (RFC 2385). Only allow BGP traffic from 
authorized peers.

Restrict BGP Access
Restrict BGP network access to authorized peers. If possible, run BGP on 
management networks, not transit networks. More information about BGP 
security (including secure BGP configuration templates) is available from the 
Team Cymru Reading Room.


Systems Affected
Vendor                     Status         Date Updated
3com, Inc.                 Unknown        13-Dec-2007
ACCESS                    Not Vulnerable   1-May-2008
Alcatel                    Unknown        13-Dec-2007
AT&T                       Unknown        13-Dec-2007
Avaya, Inc.                Unknown        13-Dec-2007
Avici Systems, Inc.       Vulnerable      28-Apr-2008
Century Systems Inc.      Vulnerable      28-Apr-2008
Charlotte's Web Networks   Unknown        13-Dec-2007
Check Point Software 
Technologies               Unknown        13-Dec-2007
Cisco Systems, Inc.        Unknown        13-Dec-2007
D-Link Systems, Inc.       Unknown        13-Dec-2007
Data Connection, Ltd.      Unknown        13-Dec-2007
Extreme Networks           Unknown        13-Dec-2007
F5 Networks, Inc.          Unknown        13-Dec-2007
Force10 Networks, Inc.    Not Vulnerable  22-Feb-2008
Foundry Networks, Inc.    Not Vulnerable  28-Apr-2008
Fujitsu                   Not Vulnerable  28-Apr-2008
GNU Zebra                  Unknown         1-May-2008
Hitachi                   Vulnerable      28-Apr-2008
Hyperchip                  Unknown        13-Dec-2007
IBM Corporation            Unknown        13-Dec-2007
Ingrian Networks, Inc.     Unknown        13-Dec-2007
Intel Corporation          Unknown         8-Apr-2008
IP Infusion, Inc.          Unknown         1-May-2008
Juniper Networks, Inc.    Vulnerable       1-May-2008
Lucent Technologies        Unknown        13-Dec-2007
Luminous Networks          Unknown        13-Dec-2007
Multinet (owned Process
 Software Corporation)     Unknown        13-Dec-2007
Multitech, Inc.            Unknown        13-Dec-2007
Network Appliance, Inc.   Not Vulnerable  14-Dec-2007
NextHop
 Technologies,Inc.         Unknown        13-Dec-2007
Nokia                      Unknown         8-Apr-2008
Nortel Networks, Inc.      Unknown        13-Dec-2007
OpenBSD                    Unknown        22-Feb-2008
Quagga                    Not Vulnerable  28-Apr-2008
Redback Networks, Inc.     Unknown        13-Dec-2007
Riverstone Networks, Inc.  Unknown        13-Dec-2007
Sun Microsystems, Inc.    Not Vulnerable  28-Apr-2008
Wind River Systems, Inc.   Unknown        13-Dec-2007
Yamaha Corporation        Vulnerable      28-Apr-2008
ZyXEL                      Unknown        13-Dec-2007

References

http://www.kb.cert.org/vuls/id/415294
http://tools.ietf.org/html/rfc1771
http://tools.ietf.org/html/rfc4271
http://tools.ietf.org/html/rfc2385
http://tools.ietf.org/html/rfc2439
http://secunia.com/advisories/28100/
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6372
https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view
http://isc.sans.org/diary.php?storyid=3748
https://puck.nether.net/pipermail/juniper-nsp/2007-December/009294.html
https://puck.nether.net/pipermail/juniper-nsp/2007-December/009299.html
http://osvdb.org/show/osvdb/39157
http://www.securityfocus.com/bid/26869
http://www.frsirt.com/english/advisories/2007/4223
http://securitytracker.com/alerts/2007/Dec/1019100.html
http://www.team-cymru.org/?sec=13&opt=28


Credit

This document was written by Art Manion.
Other Information
Date Public     12/12/2007
Date First Published    01/05/2008 00:47:32
Date Last Updated       01/05/2008
CERT Advisory    
CVE Name        CVE-2007-6372
US-CERT Technical Alerts         
Metric  24.49
Document Revision       33

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSBpRtCh9+71yA2DNAQKkPgQAj6ovLKXB9axVM8OQ2kwdST/zYGppm2LV
3Z9gWPUWo0z0ZvOet/nWqKa7j/ZQczC27hyvgaTv65+YjVKURH3Z1Toq42aLACxo
46W0SoCGHKKebyaLL2u991R6lp/WB3NOjkP0EYWOPDbQzKjDhC29tcEO9xqOL0nT
jUl7cfvfbpo=
=dcPm
-----END PGP SIGNATURE-----