ISPs Move to Patch “Grave” Border Gateway Protocol Flaw

Broadband internet service providers (ISP) are being encouraged to patch or mitigate a “grave flaw” in the Border Gateway Protocol (BGP), which could allow a remote attacker to craft a BGP UPDATE message that can de-peer (reset) BGP sessions and disrupt the global flow of internet traffic or cause a Denial of Service (DoS).

The BGP system is a protocol that helps to link the internet together by exchanging routing information with Autonomous Systems (AS), such as those run by your ISP (each provider will have many peers and routes to send data). Networks around the world need to talk to each other in order to do peering and determine which routes are the best ones for them to send their data, which is what BGP facilitates.

BGP is normally one of those things that works seamlessly in the background, but it’s also had more than a few problems over the years (e.g. traffic hijacking). Similarly, the use of malformed attributes is by no means a novel concept as an attack vector to such networks, which is partly why RFC 7606 exists.

Nevertheless, a security researcher – benjojo (see for more details) – recently “uncovered what I believe to be potentially near internet breaking flaws in how some BGP implementations works“, which impacts several major router and network software vendors: CVE-2023-4481 (Juniper), CVE-2023-38802 (FRR), CVE-2023-38283 (OpenBSD), CVE-2023-40457 (EXOS / Extreme Networks).

Benjojo said:

“What happens when an attribute fails to decode? The answer depends strongly on if the BGP implementation has been updated to use RFC 7606 logic or not; If the session is not RFC 7606 compliant, then typically an error is raised and the session is shut down. If it is, the session can usually continue as normal (except the routes impacted by the decoding error are treated as unreachable).

BGP session shutdowns are particularly undesirable, as they will impact traffic flow along a path. However in the case of a “Transitive” error they can become worm-like. Since not all BGP implementations support the same attributes, an attribute that is unknown to one implementation (and subsequently forwarded along) can cause another implementation to shut down the session it received it from.

With some reasonably educated crafting of a payload, someone could design a BGP UPDATE that “travels” along the internet unharmed, until it reaches a targeted vendor and results in that vendor resetting sessions. If that data comes down the BGP connections that are providing wider internet access for the network, this could result in a network being pulled offline from the internet.

This attack is not even a one-off “hit-and-run”, as the “bad” route is still stored in the peer router; when the session restarts the victim router will reset again the moment the route with the crafted payload is transmitted again. This has the potential to cause prolonged internet or peering outages.”

Mitigation measures for this flaw already exist and have been communicated to ISPs, while most – but not all – of the named vendors have now issued security patches. Juniper has just released this patch for all versions of Junos OS prior to 23.4R1. FRR is aware of the issue but has yet to release a patch (FRR is packaged inside many other products from SONIC, PICA8, Cumulus, and DANOS etc.). Extreme Networks (EXOS) doesn’t seem to take it as seriously as others and has been unclear about when or if it will be patched. Finally, OpenBSD (OpenBGPd) appears to have fixed the issue, and users can install Errata 006 to mitigate it.

Benjojo added that, with the odd exception (OpenBSD), he was generally left frustrated by the difficulty and slowness of getting vendors to respond and tackle the flaw: “As mentioned before, with a few of the vendors (Nokia, Extreme, Juniper) I found myself contacting their own customers myself to warn them to enable mitigating config, as that proved to be a much more effective way at preventing risk“.