The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of BGP protocol

computer vulnerability announce 8437

BGP: denial of service via AS4_PATH

Synthesis of the vulnerability

An attacker can use the AS4_PATH attribute in order to stop sessions of bgpd daemons.
Impacted products: Juniper E-Series, JUNOSe, OpenBSD, BGP protocol.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet client.
Creation date: 02/02/2009.
Identifiers: BID-33553, CQ 88706, PSN-2008-12-130, VIGILANCE-VUL-8437.

Description of the vulnerability

The RFC 4893 extents the BGP protocol to support ASN (Autonomous System Number) on 4 bytes, instead of 2 bytes. The AS4_PATH and AS4_AGGREGATOR attributes can contain ASN on 4 bytes.

An AS Confederation (RFC 3065) is a collection of AS identified with only one ASN.

According to the RFC 4893, the AS4_PATH attribute must not contain a confederation path. The RFC does not clearly indicate how to handle this error case. Some bgpd daemons close the session.

Morever, an UPDATE message with a malicious AS4_PATH attribute can go through several routers not supporting AS4_PATH before being received on a router implementing the RFC.

An attacker can therefore send a UPDATE message with a malicious AS4_PATH attribute in order to create a denial of service on remote routers.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 8071

BGP: hijacking traffic

Synthesis of the vulnerability

An attacker can change BGP routes in order to capture traffic.
Impacted products: BGP protocol.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 28/08/2008.
Identifiers: VIGILANCE-VUL-8071.

Description of the vulnerability

BGP (Border Gateway Protocol) is the main internet routing protocol.

An attacker with a BGP router can send a message to change the path in order to receive packets destined to an IP address. However, if he wishes to transmit packets to the legitimate recipient, these packets come back to him (because he is indicated as path). This old attack type is not efficient and quickly detected.

A variant was published. Indeed, if the attacker uses different network masks (1.2.3.0/24, and 1.2.3.0/26 which is more restrictive thus has a higher priority) and prepends Autonomous System numbers (via the command "route-map ... set as-prepend" of a Cisco router), the path is not propagated to some routers. The attacker then receives packets via the route for 1.2.3.0/26 and can transmit them to the legitimate recipient via the route for 1.2.3.0/24.

The attacker can thus capture data without being detected by the legitimate recipient.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2001-0650

Blocage de routeurs BGP grâce à la requête UPDATE

Synthesis of the vulnerability

A l'aide de données corrompues pour la mise à jour de path, un attaquant peut bloquer des routeurs utilisant le protocole BGP.
Impacted products: Cisco Access Server, IOS by Cisco, Cisco Router, BGP protocol.
Severity: 2/4.
Consequences: denial of service on server.
Provenance: internet server.
Creation date: 11/05/2001.
Revisions dates: 16/05/2001, 10/04/2003.
Identifiers: BID-2733, CIAC L-082, CISCO20010510, Cisco CSCdt79947, CVE-2001-0650, L-82, V6-CISCOIOSBGPATTRBCORR, VIGILANCE-VUL-1581, VU#106392.

Description of the vulnerability

Border Gateway Protocol (BGP) est un protocole de routage entre systèmes autonomes. Ce protocole est implémenté d'après la RFC 1654. Il permet d'échanger des informations sur l'accessibilité d'autres équipements BGP. BGP est implémenté sur certaines versions de IOS, le système d'exploitation installé sur certains équipements de routage de la marque Cisco.

Une requête UPDATE du protocole BGP contient des informations d'accessibilité de niveau réseau (Network Layer Reachability Information - NLRI) vers d'autres équipements supportant BGP. Ces requêtes contiennent également les chemins à emprunter par les paquets pour arriver au prochain routeur BGP. Ceci permet de mettre à jour à distance les chemins d'accès vers les différentes destinations.

Un problème dans la façon dont certains attributs malformés sont traités par IOS, fait qu'un attaquant peut mener un déni de service sur les routeurs utilisant le protocole BGP. Le blocage du routeur peut être immédiat ou non.

Un attaquant peut donc bloquer l'accès à un réseau entier (système autonome) en bloquant simplement le routeur d'accès extérieur.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about BGP protocol: