Home
 » ISP News » 
Sponsored Links

ISPs Move to Patch “Grave” Border Gateway Protocol Flaw

Wednesday, Aug 30th, 2023 (10:21 am) - Score 2,848
Encrypted Computer Data

Broadband internet service providers (ISP) are being encouraged to patch or mitigate a “grave flaw” in the Border Gateway Protocol (BGP), which could allow a remote attacker to craft a BGP UPDATE message that can de-peer (reset) BGP sessions and disrupt the global flow of internet traffic or cause a Denial of Service (DoS).

The BGP system is a protocol that helps to link the internet together by exchanging routing information with Autonomous Systems (AS), such as those run by your ISP (each provider will have many peers and routes to send data). Networks around the world need to talk to each other in order to do peering and determine which routes are the best ones for them to send their data, which is what BGP facilitates.

BGP is normally one of those things that works seamlessly in the background, but it’s also had more than a few problems over the years (e.g. traffic hijacking). Similarly, the use of malformed attributes is by no means a novel concept as an attack vector to such networks, which is partly why RFC 7606 exists.

Nevertheless, a security researcher – benjojo (see for more details) – recently “uncovered what I believe to be potentially near internet breaking flaws in how some BGP implementations works“, which impacts several major router and network software vendors: CVE-2023-4481 (Juniper), CVE-2023-38802 (FRR), CVE-2023-38283 (OpenBSD), CVE-2023-40457 (EXOS / Extreme Networks).

Benjojo said:

“What happens when an attribute fails to decode? The answer depends strongly on if the BGP implementation has been updated to use RFC 7606 logic or not; If the session is not RFC 7606 compliant, then typically an error is raised and the session is shut down. If it is, the session can usually continue as normal (except the routes impacted by the decoding error are treated as unreachable).

BGP session shutdowns are particularly undesirable, as they will impact traffic flow along a path. However in the case of a “Transitive” error they can become worm-like. Since not all BGP implementations support the same attributes, an attribute that is unknown to one implementation (and subsequently forwarded along) can cause another implementation to shut down the session it received it from.

With some reasonably educated crafting of a payload, someone could design a BGP UPDATE that “travels” along the internet unharmed, until it reaches a targeted vendor and results in that vendor resetting sessions. If that data comes down the BGP connections that are providing wider internet access for the network, this could result in a network being pulled offline from the internet.

This attack is not even a one-off “hit-and-run”, as the “bad” route is still stored in the peer router; when the session restarts the victim router will reset again the moment the route with the crafted payload is transmitted again. This has the potential to cause prolonged internet or peering outages.”

Mitigation measures for this flaw already exist and have been communicated to ISPs, while most – but not all – of the named vendors have now issued security patches. Juniper has just released this patch for all versions of Junos OS prior to 23.4R1. FRR is aware of the issue but has yet to release a patch (FRR is packaged inside many other products from SONIC, PICA8, Cumulus, and DANOS etc.). Extreme Networks (EXOS) doesn’t seem to take it as seriously as others and has been unclear about when or if it will be patched. Finally, OpenBSD (OpenBGPd) appears to have fixed the issue, and users can install Errata 006 to mitigate it.

Benjojo added that, with the odd exception (OpenBSD), he was generally left frustrated by the difficulty and slowness of getting vendors to respond and tackle the flaw: “As mentioned before, with a few of the vendors (Nokia, Extreme, Juniper) I found myself contacting their own customers myself to warn them to enable mitigating config, as that proved to be a much more effective way at preventing risk“.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Tags:
Mark-Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.00
132Mbps
Gift: None
Shell Energy UK ISP Logo
Shell Energy £26.99
109Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
145Mbps
Gift: None
Zen Internet UK ISP Logo
Zen Internet £28.00 - 35.00
100Mbps
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
YouFibre UK ISP Logo
YouFibre £19.99
150Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
BeFibre UK ISP Logo
BeFibre £21.00
150Mbps
Gift: £25 Love2Shop Card
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5508)
  2. BT (3513)
  3. Politics (2535)
  4. Openreach (2296)
  5. Business (2260)
  6. Building Digital UK (2243)
  7. FTTC (2042)
  8. Mobile Broadband (1971)
  9. Statistics (1787)
  10. 4G (1662)
  11. Virgin Media (1617)
  12. Ofcom Regulation (1459)
  13. Fibre Optic (1393)
  14. Wireless Internet (1389)
  15. FTTH (1381)

Helpful ISP Guides and Tips

Promotion
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact
Mastodon