Headline
CVE-2023-0026: BGP Error Messages | Junos OS
An Improper Input Validation vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When a BGP update message is received over an established BGP session, and that message contains a specific, optional transitive attribute, this session will be torn down with an update message error. This issue cannot propagate beyond an affected system as the processing error occurs as soon as the update is received. This issue is exploitable remotely as the respective attribute can propagate through unaffected systems and intermediate AS (if any). Continuous receipt of a BGP update containing this attribute will create a sustained Denial of Service (DoS) condition. Some customers have experienced these BGP session flaps which prompted Juniper SIRT to release this advisory out of cycle before fixed releases are widely available as there is an effective workaround.
This issue affects: Juniper Networks Junos OS 15.1R1 and later versions prior to 20.4R3-S8; 21.1 version 21.1R1 and later versions prior to 21.2R3-S6; 21.3 versions prior to 21.3R3-S5; 21.4 versions prior to 21.4R3-S4; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S2; 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; 22.4 versions prior to 22.4R2-S1, 22.4R3; 23.1 versions prior to 23.1R1-S1, 23.1R2.
Juniper Networks Junos OS Evolved All versions prior to 20.4R3-S8-EVO; 21.1 version 21.1R1-EVO and later versions prior to 21.2R3-S6-EVO; 21.3 versions prior to 21.3R3-S5-EVO; 21.4 versions prior to 21.4R3-S4-EVO; 22.1 versions prior to 22.1R3-S4-EVO; 22.2 versions prior to 22.2R3-S2-EVO; 22.3 versions prior to 22.3R2-S2-EVO, 22.3R3-S1-EVO; 22.4 versions prior to 22.4R2-S1-EVO, 22.4R3-EVO; 23.1 versions prior to 23.1R1-S1-EVO, 23.1R2-EVO.
Understanding Error Handling for BGP Update Messages
A BGP message is considered to be malformed when any one of the message attributes is malformed. When a router participating in a BGP session receives a malformed update message, the entire session is reset by default. This is undesirable because update messages with valid routes are also affected. To avoid this undesirable behavior, the error handling for BGP update messages needs to be modified.
To configure error handling for BGP update messages, configure the bgp-error-tolerance statement at the [edit protocols bgp], [edit protocols bgp group group-name], or [edit protocols bgp group group-name neighbor address] hierarchy level.
If an attribute contains attribute flags that conflict with the value of the Attribute Type field, the attribute flags are reset to the correct value and the update message is processed. The value of the Extended Length bit in the attribute flags is unchanged because this value defines whether the attribute length is one or two octets. Hence, the value of the attribute flag affects how the BGP update packet is parsed.
Note:
There is no explicit specification for the attribute flag value for the path attributes.
Malformed update messages are treated on a case by case basis, depending on the values of the attributes contained in the messages. There are three ways of handling malformed BGP update messages, listed in the decreasing order of severity.
Notification message approach—The malformed message error is logged locally, an error code update message is sent to the administration of the peer, and the entire BGP session is reset.
This approach is chosen when:
The BGP update message contains the MP reach attribute or the MP unreach attribute.
The NLRI field or the BGP update message cannot be parsed correctly because of a mismatch between the attribute length and the value of the attribute length field.
Treat-as-withdraw approach—All routes within the malformed update message are treated as hidden routes, unless the keep none statement is configured, in which case the routes are discarded. In the absence of the keep none statement, the number of hidden malformed routes are configured with a limit, which when exceeded discards the routes and prevents any further malformed routes from being hidden. Junos OS removes the newly received malformed routes when the malformed route limit is reached.
Attribute discard approach—The malformed attributes in the update message are discarded; however, the message is processed. We do not recommend using this approach if the attributes to be discarded can affect route selection or installation.
Note:
If an attribute appears more than once in an update message, all occurrences of the attribute, other than the first, will be discarded and the message will be processed.
The BGP update messages are scanned for the following attributes and are treated as malformed based on the values of these attributes:
The origin attribute—Handled by the treat-as-withdraw approach.
The AS path attribute—Handled by the treat-as-withdraw approach.
The AS 4 path attribute—Handled by the attribute discard approach. If any attribute has attribute flags that conflict with the attribute type code, Junos OS resets the attribute flags to the correct value. The update message continues to be processed.
Junos OS does not change the value of the extended length bit in the attribute flags. This bit defines whether the attribute length is one octet or two octets. The value of this flag affects how the BGP packet is parsed. There is no explicit specification of this value for the path attributes.
The aggregator attribute—Handled by the attribute discard approach.
The aggregator 4 attribute—Handled by the attribute discard approach.
The next-hop attribute—Handled by the treat-as-withdraw approach.
The multiple exit discriminator attribute—Handled by the treat-as-withdraw approach.
The local preference attribute—Handled by the treat-as-withdraw approach.
The atomic aggregate attribute—Handled by the attribute discard approach.
The community attribute—Handled by the treat-as-withdraw approach.
The extended community attribute—Handled by the treat-as-withdraw approach.
The originator attribute—Handled by the treat-as-withdraw approach.
The cluster attribute—Handled by the treat-as-withdraw approach.
The PMSI attribute—Handled by the treat-as-withdraw approach.
The MP reach attribute—Handled by the notification message approach.
The MP unreach attribute—Handled by the notification message approach.
The attribute set attribute—Handled by the treat-as-withdraw approach.
The AIGP attribute—Handled by the treat-as-withdraw approach.
Unknown attribute—If the BGP flag does not indicate that this is an optional attribute, this malformed attribute is handled by the notification message approach.
Note:
When a BGP update message contains multiple malformed attributes, the most severe approach triggered by one of the attributes is followed.
Example: Configuring Error Handling for BGP Update Messages
This example shows how to configure BGP error handling.
- Requirements
- Overview
- Configuration
- Verification
Requirements
Before you begin:
Configure router interfaces.
Configure an interior gateway protocol (IGP).
Configure BGP.
Configure routing policies.
Overview
When a routing device receives an update message with a malformed attribute, the router is required to reset the session. This is specified in RFC 4271, A Border Gateway Protocol 4 (BGP-4). Session resets impact not only routes with the offending attribute, but also other valid routes exchanged over the session. Moreover, this behavior can present a potential security vulnerability in the case of optional transitive attributes. To minimize the impact on routing made by malformed update messages, the Internet draft draft-ietf-idr-error-handling-01.txt, Revised Error Handling for BGP UPDATE Messages specifies modifications for handling BGP update message with malformed attributes. The new error handling allows for maintaining the established session and keeping the valid routes exchanged, while removing the routes carried in the malformed UPDATE message.
Topology
In Figure 1, Device R1 has an internal BGP peering session with Device R0, and an external BGP peering session with Device R2.
Figure 1: BGP Error Handling Example Topology
To protect against malformed update messages causing network instability, Device R1 has BGP error handling configured, as shown here:
By default, a BGP message is considered to be malformed when any one of the message attributes is malformed. When a router participating in a BGP session receives a malformed update message, the entire session is reset. The bgp-error-tolerance statement overrides this behavior so that the following BGP error handling is in effect:
For fatal errors, Junos OS sends a notification message titled Error Code Update Message and resets the BGP session. An error in the MP_{UN}REACH attribute is considered to be fatal. The presence of multiple MP_{UN}REACH attributes in one BGP update is also considered to be a fatal error. Junos OS resets the BGP session if it cannot parse the NLRI field or the BGP update correctly. Failure to parse the BGP update packet can happen when the attribute length does not match the length of the attribute value.
For some nonfatal errors, Junos OS treats all the routes contained in the malformed BGP update message as withdrawn routes and installs them as hidden, unless the keep none statement is included in the BGP is configuration. Junos OS uses this error handling approach for the cases that involve any of the following attributes: ORIGIN, AS_PATH, NEXT_HOP, MULTI_EXIT_DISC, LOCAL_PREF, ORIGINATOR, CLUSTER, ATTRSET, PMSI, Community, and Extended Community. In addition, if any of the mandatory well-known path attributes is missing, Junos OS treats the BGP update as malformed. To limit the memory usage of these malformed hidden routes, Junos OS stops installing new malformed hidden routes after the maximum number of such malformed hidden routes is reached. In this example, the maximum number is set to 5, using the malformed-route-limit statement. The default value is 1000. Optionally, you can allow an unlimited number of routes hidden due to malformed attributes. Do this by including the no-malformed-route-limit statement.
For other nonfatal errors, Junos OS discards the malformed path attributes and continues to process the BGP update message. It is unsafe to use this approach on the path attributes that might affect route selection or installation. Junos OS uses this error handling approach for the cases that involve any of the following attributes: ATOMIC_AGGREGATE, AGGREGATOR, AGGREGATOR4, and AS4PATH.
To facilitate troubleshooting of malformed packets, Junos OS logs the error listing the malformed path attribute code, flag, length, information about the peer and family, and the first prefix from the malformed BGP update. Logging of the malformed packets might slow Junos OS performance if a significant number of malformed packets is received in a short time. To limit the performance impact, Junos OS implements an algorithm to log a malformed update, suppress logging for an interval, and log a summary. When the logging suppression timer expires, the software logs the total number of malformed attributes received during the interval. In this example, the timer is set to 10 seconds, using the malformed-update-log-interval statement. The default value is 300 seconds(5 minutes).
CLI Quick Configuration shows the configuration for all of the devices in Figure 1.
The section #d100e116__d100e307 describes the steps on Device R1.
Configuration
- CLI Quick Configuration
- Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Device R0
Device R1
Device R2
Procedure
- Step-by-Step Procedure
- Results
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure the BGP error handling:
Configure the router interfaces.
Configure an interior gateway protocol (IGP), such as OSPF or IS-IS.
Configure the autonomous system (AS) number and router ID.
Configure the routing policy.
Configure the EBGP session.
Configure the IBGP sessions.
Enable BGP error tolerance.
(Optional) Configure the log interval.
(Optional) Configure a limit for the number of hidden routes to store.
Results
From configuration mode, confirm your configuration by entering the show interfaces, show protocols, show policy-options, and show routing-options, commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
If you are done configuring the devices, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
- Checking the BGP Neighbor Sessions
- Checking Hidden Routes
- Verifying the Source of the Hidden Routes
Checking the BGP Neighbor Sessions
- Purpose
- Action
- Meaning
Purpose
Verify that BGP error tolerance is enabled, and display the counters related to malformed path attributes.
Action
Meaning
The Malformed attributes field shows that error tolerance is enabled. The log interval and route limit fields display the configured values.
The attribute counters show that on the EBGP connection, several malformed attributes were received from Device R2.
Checking Hidden Routes
- Purpose
- Action
- Meaning
Purpose
View information about hidden routes and learn why they are hidden.
Action
Meaning
The malformed hidden routes are marked with MalformedAttr in the AS path field.
You can remove the hidden routes by running the clear bgp neighbor 10.10.10.2 malformed-route command.
Verifying the Source of the Hidden Routes
- Purpose
- Action
- Meaning
Purpose
View information about hidden routes and learn why they are hidden.
Action
Meaning
Junos OS displays MalformedAttr in the AS path field in the output of the show route receive-protocol bgp 10.10.10.2 detail hidden command.
You can remove the hidden routes by running the clear bgp neighbor 10.10.10.2 malformed-route command.
Related news
An Improper Input Validation vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When a BGP update message is received over an established BGP session, and that message contains a specific, optional transitive attribute, this session will be torn down with an update message error. This issue cannot propagate beyond an affected system as the processing error occurs as soon as the update is received. This issue is exploitable remotely as the respective attribute can propagate through unaffected systems and intermediate AS (if any). Continuous receipt of a BGP update containing this attribute will create a sustained Denial of Service (DoS) condition. Some customers have experienced these BGP session flaps which prompted Juniper SIRT to release this advisory out of cycle before fixed releases are widely available as there is an effective workaround. This is...