Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0454 -- [UNIX/Linux][Appliance] Multiple vendors' BGP implementations do not properly handle UPDATE messages 2 May 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BGP Publisher: US-CERT Operating System: UNIX variants (UNIX, Linux) Network Appliance Impact: Denial of Service Access: Remote/Unauthenticated CVE Names: CVE-2007-6372 Original Bulletin: http://www.kb.cert.org/vuls/id/929656 - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#929656 Multiple vendors' BGP implementations do not properly handle UPDATE messages Overview BGP implementations from multiple vendors including Juniper may not properly handle specially crafted BGP UPDATE messages. These vulnerabilities could allow an unauthenticated, remote attacker to cause a denial of service. Disrupting BGP communication could lead to routing instability. I. Description The Border Gateway Protocol (BGP, RFC 4271) is a widely used inter-Autonomous System routing protocol. BGP communication among peer routers is critical to the stable operation of the internet. Multiple vendors BGP implementations do not properly handle specially crafted BGP UPDATE messages. A vulnerable BGP implementation could drop sessions when processing a crafted UPDATE message, which could lead to routing instability (route flapping). To affect a legitimate BGP session, an attacker would need to succesfully inject a specially crafted packet into the underlying TCP session. This vulnerability was first announced as affecting Juniper routers. Further investigation indicates that other vendors are affected by the same or similar issues. Please see the Systems Affected section below. II. Impact A remote, unauthenticated attacker could cause a denial of service by injecting a specially crafted BGP message into a legitimate BGP session with a vulnerable router. III. Solution Upgrade Upgrade your BGP software as appropriate. Please see the Systems Affected section below for information about specific vendors. In order to send a specially crafted BGP UPDATE message, an attacker must have or spoof a valid BGP connection (179/tcp). Authenticate BGP Traffic Use TCP MD5 to authenticate BGP traffic (RFC 2385). Only allow BGP traffic from authorized peers. Restrict BGP Access Restrict BGP network access to authorized peers. If possible, run BGP on management networks, not transit networks. More information about BGP security (including secure BGP configuration templates) is available from the Team Cymru Reading Room. Systems Affected Vendor Status Date Updated 3com, Inc. Unknown 13-Dec-2007 ACCESS Not Vulnerable 1-May-2008 Alcatel Unknown 13-Dec-2007 AT&T Unknown 13-Dec-2007 Avaya, Inc. Unknown 13-Dec-2007 Avici Systems, Inc. Vulnerable 28-Apr-2008 Century Systems Inc. Vulnerable 28-Apr-2008 Charlotte's Web Networks Unknown 13-Dec-2007 Check Point Software Technologies Unknown 13-Dec-2007 Cisco Systems, Inc. Unknown 13-Dec-2007 D-Link Systems, Inc. Unknown 13-Dec-2007 Data Connection, Ltd. Unknown 13-Dec-2007 Extreme Networks Unknown 13-Dec-2007 F5 Networks, Inc. Unknown 13-Dec-2007 Force10 Networks, Inc. Not Vulnerable 22-Feb-2008 Foundry Networks, Inc. Not Vulnerable 28-Apr-2008 Fujitsu Not Vulnerable 28-Apr-2008 GNU Zebra Unknown 1-May-2008 Hitachi Vulnerable 28-Apr-2008 Hyperchip Unknown 13-Dec-2007 IBM Corporation Unknown 13-Dec-2007 Ingrian Networks, Inc. Unknown 13-Dec-2007 Intel Corporation Unknown 8-Apr-2008 IP Infusion, Inc. Unknown 1-May-2008 Juniper Networks, Inc. Vulnerable 1-May-2008 Lucent Technologies Unknown 13-Dec-2007 Luminous Networks Unknown 13-Dec-2007 Multinet (owned Process Software Corporation) Unknown 13-Dec-2007 Multitech, Inc. Unknown 13-Dec-2007 Network Appliance, Inc. Not Vulnerable 14-Dec-2007 NextHop Technologies,Inc. Unknown 13-Dec-2007 Nokia Unknown 8-Apr-2008 Nortel Networks, Inc. Unknown 13-Dec-2007 OpenBSD Unknown 22-Feb-2008 Quagga Not Vulnerable 28-Apr-2008 Redback Networks, Inc. Unknown 13-Dec-2007 Riverstone Networks, Inc. Unknown 13-Dec-2007 Sun Microsystems, Inc. Not Vulnerable 28-Apr-2008 Wind River Systems, Inc. Unknown 13-Dec-2007 Yamaha Corporation Vulnerable 28-Apr-2008 ZyXEL Unknown 13-Dec-2007 References http://www.kb.cert.org/vuls/id/415294 http://tools.ietf.org/html/rfc1771 http://tools.ietf.org/html/rfc4271 http://tools.ietf.org/html/rfc2385 http://tools.ietf.org/html/rfc2439 http://secunia.com/advisories/28100/ http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6372 https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-12-008&viewMod%20e=view http://isc.sans.org/diary.php?storyid=3748 https://puck.nether.net/pipermail/juniper-nsp/2007-December/009294.html https://puck.nether.net/pipermail/juniper-nsp/2007-December/009299.html http://osvdb.org/show/osvdb/39157 http://www.securityfocus.com/bid/26869 http://www.frsirt.com/english/advisories/2007/4223 http://securitytracker.com/alerts/2007/Dec/1019100.html http://www.team-cymru.org/?sec=13&opt=28 Credit This document was written by Art Manion. Other Information Date Public 12/12/2007 Date First Published 01/05/2008 00:47:32 Date Last Updated 01/05/2008 CERT Advisory CVE Name CVE-2007-6372 US-CERT Technical Alerts Metric 24.49 Document Revision 33 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSBpRtCh9+71yA2DNAQKkPgQAj6ovLKXB9axVM8OQ2kwdST/zYGppm2LV 3Z9gWPUWo0z0ZvOet/nWqKa7j/ZQczC27hyvgaTv65+YjVKURH3Z1Toq42aLACxo 46W0SoCGHKKebyaLL2u991R6lp/WB3NOjkP0EYWOPDbQzKjDhC29tcEO9xqOL0nT jUl7cfvfbpo= =dcPm -----END PGP SIGNATURE-----