[nsp-sec] Crafted bgp update msg may cause slave re to crashJunOS.

Hank Nussbacher hank at efes.iucc.ac.il
Fri Sep 19 02:16:37 EDT 2008 

On Thu, 18 Sep 2008, Jared Mauch wrote:

And PSIRT doesn't see a reason to announce this as a security advisory? 
As with previous cases, I think they are wrong.

Thanks Jared for alerting us here.

-Hank

> ----------- nsp-security Confidential --------
>
> 	Cisco posted what this was a few days ago, I asked PSIRT to comment
> and they did not.
>
>
> CSCsk69927 Resolved in 12.2(18)SXF15
>
> Symptoms:
>
> All the BGP routes are dropped when IOS device receives BGP update with atomic-aggregate length as 254 (0xfe).
>
> Conditions: The topology consists of two eBGP peers with test traffic across the link.
>
> The BGP process does not crash, and routes are not restored after the event.
>
> Workaround: None
>
> More info: This is a PSIRT issue which exists in almost all the releases/branches
>
> On Thu, Sep 18, 2008 at 06:14:50PM -0400, Sayadian, Greg wrote:
>> ----------- nsp-security Confidential --------
>>
>> Does md5 hashing save you?
>> ------Original Message------
>> From: Chris Morrow
>> To: Smith, Donald
>> Cc: Rob Thomas
>> Cc: nsp-security at puck.nether.net
>> Sent: Sep 18, 2008 5:17 PM
>> Subject: Re: [nsp-sec] Crafted bgp update msg may cause slave re to crashJunOS.
>>
>> ----------- nsp-security Confidential --------
>>
>> maybe paul can shed some light? or barry?? I've seen a few RE crashes on
>> our side that ended up looking like some wierd routing update thing :(
>>
>> -Chris
>>
>> On Thu, 18 Sep 2008, Smith, Donald wrote:
>>
>>> ----------- nsp-security Confidential --------
>>>
>>> I have not tried to recreate this in the lab.
>>> Because I don't have any detailed information.
>>>
>>> donald.smith at qwest.com giac
>>>
>>> ________________________________
>>>
>>> From: Rob Thomas [mailto:robt at cymru.com]
>>> Sent: Thu 9/18/2008 2:59 PM
>>> To: Smith, Donald
>>> Cc: nsp-security at puck.nether.net
>>> Subject: Re: [nsp-sec] Crafted bgp update msg may cause slave re to crashJunOS.
>>>
>>>
>>>
>>> Are there any specific packet characteristics (number of octets, flags,
>>> something) on which flow queries could be based?  :)
>>>
>>>
>>> Smith, Donald wrote:
>>>> ----------- nsp-security Confidential --------
>>>>
>>>> Most of you should have already seen this.
>>>>
>>>> Subject: New Juniper Technical Bulletin - PSN-2008-09-005
>>>>
>>>> The Juniper Networks Technical Assistance Center (JTAC) announces the
>>>> following Technical Bulletin that is available on our Customer Support
>>>> Center website.
>>>>
>>>> You will need a valid login ID on www.juniper.net in order to view the
>>>> full description.
>>>>
>>>> Technical Bulletin Subject: Crafted BGP UPDATE messages can cause slave
>>>> Routing Engines to crash
>>>>
>>>> Detailed information can be found at the following URL (login required):
>>>> http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2008-09-0
>>>> 05&actionBtn=Search
>>>>
>>>> If you do not have a valid login ID, you can submit your application at
>>>> the following URL:
>>>> http://www.juniper.net/registration/register.jsp
>>>>
>>>> NOTE: A Technical Bulletin is a formal notice regarding critical and/or
>>>> potentially service-affecting hardware and software product issues. The
>>>> Technical Bulletin process allows the proactive communication of
>>>> pertinent information to both customers and partners.
>>>>
>>>> For further information, please contact the Juniper Technical Assistance
>>>> Center(JTAC) by e-mail at support at juniper.net, or by phone:
>>>>
>>>> (888) 314-JTAC (within the US)
>>>> +1 408-745-2121 (outside the US)
>>>>
>>>>
>>>>
>>>> H8Hz
>>>> Donald.Smith at qwest.com giac
>>>>
>>>>
>>>> This communication is the property of Qwest and may contain confidential or
>>>> privileged information. Unauthorized use of this communication is strictly
>>>> prohibited and may be unlawful.  If you have received this communication
>>>> in error, please immediately notify the sender by reply e-mail and destroy
>>>> all copies of the communication and any attachments.
>>>>
>>>>
>>>> _______________________________________________
>>>> nsp-security mailing list
>>>> nsp-security at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>>
>>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>>> _______________________________________________
>>>
>>> --
>>> Rob Thomas
>>> Team Cymru
>>> http://www.team-cymru.org/
>>> cmn_err(CEO_PANIC, "Out of coffee!");
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> nsp-security mailing list
>>> nsp-security at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/nsp-security
>>>
>>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>>> community. Confidentiality is essential for effective Internet security counter-measures.
>>> _______________________________________________
>>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>>
>>
>> <><
>> Greg Sayadian
>> IT Security
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>> community. Confidentiality is essential for effective Internet security counter-measures.
>> _______________________________________________
>
> -- 
> Jared Mauch | I work for but do not always represent NTT America
> list admin  | +1 313 506 4307 * send list policy questions to
>            | nsp-security-owner at puck.nether.net
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list