Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Crafted BGP UPDATE messages can cause slave Routing Engines to crash



Article ID: JSA10387 SECURITY_ADVISORIES Last Updated: 30 Nov 2020Version: 6.0
Legacy Advisory Id:
Product Affected:
All JUNOS software releases
Under certain conditions, receipt of a BGP UPDATE message with an invalid NEXT_HOP attribute can cause slave routing Engines to crash. The primary Routing Engine may successfully install routes with the invalid NEXT_HOP (depending on normal BGP route selection criteria), and may propagate the invalid NEXT_HOP attribute to other BGP peers if the NEXT_HOP is not rewritten by local BGP export policy.

"Slave" Routing Engines include the Backup Routing Engines in all router platforms with dual REs, as well as all Active and Backup Routing Engines in the Line Card Chassis (LCC) components of a TX Matrix routing platform. All Slave Routing Engines use the same mechanism (ksyncd, the kernel synchronization daemon) to synchronize their forwarding plane information.

This issue is tracked in PR/302236.
JUNOS software has been modified to prevent the kernel synchronization mechanism from crashing in these conditions. The software has also been modified to prevent installation of routes with the invalid NEXT_HOP attribute, in turn preventing those routes from being readvertised to other BGP peers.
All JUNOS software version 8.5R4 and higher built on or after August 1, 2008 includes the modified code. JUNOS Versions prior to version 8.5R1 are not affected. Customers with affected platforms are strongly encouraged to update their system software to a release that contains the corrected code. Fixes were specific committed in: 8.5R4 8.5R4.1 9.0R3.5 9.0R4 9.1R3 9.2R1.4 9.2R2 9.3R1 9.4R1
Modification History:
2008-09-17: Initial publication
2020-11-20: Updated terminology

CVSS Score:
Severity Level:
Severity Assessment:
For non-TX Matrix routing platforms, the router will continue to operate normally. However, the additional load imposed when the backup Routing Engine reboots and resynchronizes its routing database could represent a Denial-of-Service. The backup RE will continue to crash, reboot, and resynchronize as long as the route with the invalid NEXT_HOP is installed in the active RE's database.

For TX-Matrix platforms, all active and backup REs in all LCCs will continuously crash, reboot, and resynchronize. The LCC Packet Forwarding Engines will also reboot due to loss of communications with the Routing Engines. This will result in a complete loss of forwarding on TX-Matrix platforms.

This vulnerability was discovered during software testing in a laboratory environment. At the time of publication of this bulletin, we are not aware of any attempts to exploit this vulnerability in a production network.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search