[nsp-sec] Crafted bgp update msg may cause slave re to crashJunOS.

Jared Mauch jared at puck.nether.net
Thu Sep 18 18:26:48 EDT 2008 

	Cisco posted what this was a few days ago, I asked PSIRT to comment
and they did not.


CSCsk69927 Resolved in 12.2(18)SXF15

Symptoms:

All the BGP routes are dropped when IOS device receives BGP update with atomic-aggregate length as 254 (0xfe).

Conditions: The topology consists of two eBGP peers with test traffic across the link.

The BGP process does not crash, and routes are not restored after the event.

Workaround: None

More info: This is a PSIRT issue which exists in almost all the releases/branches 
	
On Thu, Sep 18, 2008 at 06:14:50PM -0400, Sayadian, Greg wrote:
> ----------- nsp-security Confidential --------
> 
> Does md5 hashing save you?
> ------Original Message------
> From: Chris Morrow
> To: Smith, Donald
> Cc: Rob Thomas
> Cc: nsp-security at puck.nether.net
> Sent: Sep 18, 2008 5:17 PM
> Subject: Re: [nsp-sec] Crafted bgp update msg may cause slave re to crashJunOS.
> 
> ----------- nsp-security Confidential --------
> 
> maybe paul can shed some light? or barry?? I've seen a few RE crashes on 
> our side that ended up looking like some wierd routing update thing :(
> 
> -Chris
> 
> On Thu, 18 Sep 2008, Smith, Donald wrote:
> 
> > ----------- nsp-security Confidential --------
> >
> > I have not tried to recreate this in the lab.
> > Because I don't have any detailed information.
> >
> > donald.smith at qwest.com giac
> >
> > ________________________________
> >
> > From: Rob Thomas [mailto:robt at cymru.com]
> > Sent: Thu 9/18/2008 2:59 PM
> > To: Smith, Donald
> > Cc: nsp-security at puck.nether.net
> > Subject: Re: [nsp-sec] Crafted bgp update msg may cause slave re to crashJunOS.
> >
> >
> >
> > Are there any specific packet characteristics (number of octets, flags,
> > something) on which flow queries could be based?  :)
> >
> >
> > Smith, Donald wrote:
> >> ----------- nsp-security Confidential --------
> >>
> >> Most of you should have already seen this.
> >>
> >> Subject: New Juniper Technical Bulletin - PSN-2008-09-005
> >>
> >> The Juniper Networks Technical Assistance Center (JTAC) announces the
> >> following Technical Bulletin that is available on our Customer Support
> >> Center website.
> >>
> >> You will need a valid login ID on www.juniper.net in order to view the
> >> full description.
> >>
> >> Technical Bulletin Subject: Crafted BGP UPDATE messages can cause slave
> >> Routing Engines to crash
> >>
> >> Detailed information can be found at the following URL (login required):
> >> http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2008-09-0
> >> 05&actionBtn=Search
> >>
> >> If you do not have a valid login ID, you can submit your application at
> >> the following URL:
> >> http://www.juniper.net/registration/register.jsp
> >>
> >> NOTE: A Technical Bulletin is a formal notice regarding critical and/or
> >> potentially service-affecting hardware and software product issues. The
> >> Technical Bulletin process allows the proactive communication of
> >> pertinent information to both customers and partners.
> >>
> >> For further information, please contact the Juniper Technical Assistance
> >> Center(JTAC) by e-mail at support at juniper.net, or by phone:
> >>
> >> (888) 314-JTAC (within the US)
> >> +1 408-745-2121 (outside the US)
> >>
> >>
> >>
> >> H8Hz
> >> Donald.Smith at qwest.com giac
> >>
> >>
> >> This communication is the property of Qwest and may contain confidential or
> >> privileged information. Unauthorized use of this communication is strictly
> >> prohibited and may be unlawful.  If you have received this communication
> >> in error, please immediately notify the sender by reply e-mail and destroy
> >> all copies of the communication and any attachments.
> >>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> >> community. Confidentiality is essential for effective Internet security counter-measures.
> >> _______________________________________________
> >
> > --
> > Rob Thomas
> > Team Cymru
> > http://www.team-cymru.org/
> > cmn_err(CEO_PANIC, "Out of coffee!");
> >
> >
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security counter-measures.
> > _______________________________________________
> >
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 
> 
> <><
> Greg Sayadian
> IT Security
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-- 
Jared Mauch | I work for but do not always represent NTT America
list admin  | +1 313 506 4307 * send list policy questions to 
            | nsp-security-owner at puck.nether.net

More information about the nsp-security mailing list