Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Crafted BGP UPDATE messages can tear down peering sessions (VU#929656, CVE-2007-6259)



Article ID: JSA10372 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 3.0
Legacy Advisory Id:
Product Affected:
All routing platforms running JUNOS software built prior to December 8, 2007
Certain crafted BGP UPDATE messages are incorrectly determined to contain an Invalid Path Attribute. Upon receipt of one of these UPDATE message, a NOTIFY message is sent to the peer with an error code of "UPDATE message error" (3) and a sub-code of "Malformed Attribute List" (1), and the peering session is terminated. The peering session will usually be re-established; however, as soon as the peer re-sends the crafted UPDATE message the session will once again be torn down.

The resulting "flapping" of the BGP session causes increased control traffic between the BGP peers, and requires CPU resources to process the routing information. Additionally, as the routing information received on the affected peering session changes, BGP route damping can occur elsewhere in the Internet, resulting in sub-optimal routing or traffic loss.

Due to the nature of the BGP protocol, it is not necessary for these crafted BGP UPDATE messages to originate from the router's immediate neighbor. The crafted messages can be propagated from a remotely located source.

These issues are tracked in PR/264283 and PR/261211. US/CERT has assigned VU#929656 to this vulnerability.
All JUNOS software releases built on or after December 8, 2007 have been corrected to properly handle these crafted BGP UPDATE messages.
Customers running the BGP protocol are strongly urged to update their routers to a version of JUNOS software that contains the corrected code. There is no work-around for this issue.
Severity Level:
Severity Assessment:
An attacker must be well-connected to the Internet to exploit this vulnerability. The attacker requires a BGP peering session with at least one network provider, and that provider must be accepting and propagating BGP routing information from the attacker. Furthermore, the BGP routing information must not be aggregated by intermediate routers in such a way as to remove the crafted portion of the data.

Despite these rather strict requirements, a successful attack will have significant impact. In addition to the targetted router being affected, the resulting "flapping" of routing information will cause general instability as it is propagated throughout the Internet.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search