Knowledge Search


Crafted BGP UPDATE messages can cause slave Routing Engines to crash

  [JSA10387] Show Article Properties

Legacy Advisory Id:
Product Affected:
All JUNOS software releases
Under certain conditions, receipt of a BGP UPDATE message with an invalid NEXT_HOP attribute can cause slave routing Engines to crash. The master Routing Engine may successfully install routes with the invalid NEXT_HOP (depending on normal BGP route selection criteria), and may propagate the invalid NEXT_HOP attribute to other BGP peers if the NEXT_HOP is not rewritten by local BGP export policy.

"Slave" Routing Engines include the Backup Routing Engines in all router platforms with dual REs, as well as all Active and Backup Routing Engines in the Line Card Chassis (LCC) components of a TX Matrix routing platform. All Slave Routing Engines use the same mechanism (ksyncd, the kernel synchronization daemon) to synchronize their forwarding plane information.

This issue is tracked in PR/302236.
JUNOS software has been modified to prevent the kernel synchronization mechanism from crashing in these conditions. The software has also been modified to prevent installation of routes with the invalid NEXT_HOP attribute, in turn preventing those routes from being readvertised to other BGP peers.
All JUNOS software version 8.5R4 and higher built on or after August 1, 2008 includes the modified code. JUNOS Versions prior to version 8.5R1 are not affected. Customers with affected platforms are strongly encouraged to update their system software to a release that contains the corrected code. Fixes were specific committed in: 8.5R4 8.5R4.1 9.0R3.5 9.0R4 9.1R3 9.2R1.4 9.2R2 9.3R1 9.4R1
Related Links:
Risk Level:
Risk Assessment:
For non-TX Matrix routing platforms, the router will continue to operate normally. However, the additional load imposed when the backup Routing Engine reboots and resynchronizes its routing database could represent a Denial-of-Service. The backup RE will continue to crash, reboot, and resynchronize as long as the route with the invalid NEXT_HOP is installed in the active RE's database.

For TX-Matrix platforms, all active and backup REs in all LCCs will continuously crash, reboot, and resynchronize. The LCC Packet Forwarding Engines will also reboot due to loss of communications with the Routing Engines. This will result in a complete loss of forwarding on TX-Matrix platforms.

This vulnerability was discovered during software testing in a laboratory environment. At the time of publication of this bulletin, we are not aware of any attempts to exploit this vulnerability in a production network.