[nsp-sec] Quagga distributed BGP session reset vulnerability (CVE-2010-1675)
Florian Weimer
fweimer at bfk.de
Tue Mar 22 05:03:00 EDT 2011
Ever since Quagga gained experimental support for the AS_PATHLIMIT
Internet Draft, it was possible to force Quagga instances off the
Internet by injecting a malformed AS_PATHLIMIT path attribute into the
global routing table. Affected Quagga instances would reset the BGP
session, in accordance with established BGP error handling procedures.
Routers which do not understand the AS_PATHLIMIT attribute would pass
the announcement unchanged (except for the Partial flag). To my
knowledge, this includes all IOS and JUNOS versions, so the routers
themselves are not affected themselves (but still propagate the
disease).
It turns out that the Extended Communities path attribute triggers the
same session reset behavior as the AS_PATHLIMIT path attribute in
relatively current JUNOS *and* IOS versions. However, this does not
appear to be a problem because Extended Communities support is very
widely implemented in the Internet core, so a crafted announcement
does not travel very far from the point of injection. (Obviously, I
have not tested this beyond the lab, but I'm pretty sure it's
correct.) But it means that BGP router on the Internet are more or
less required to implement Extended Communities support---and other
widely deployed extensions involving path attributes, such as mBGP and
32-bit AS numbers. This also applies to route reflectors at IXPs. In
particular, Openbgpd seems to be used in this role in a few places and
gained Extended Communities support only relatively recently. (But
then, in an IXP environment, it's probably easy to call the offending
party or pull the plug, should odd things ever happen.)
The IETF IDR working group is working on similar error handling issues
in the BGP session handling. I've lost track of the many, slightly
different drafts in preparation, though.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list