Knowledge Search


×
 

as-path-prepend and specific length AS_PATH we can cause a JUNOS router to send corrupted UPDATE packets to eBGP neighbors

  [JSA10418] Show Article Properties


Legacy Advisory Id:
PSN-2010-01-622
Product Affected:
All JUNOS Devices
Problem:
Data corruption in a BGP update packet with a long AS_PATH using the as-path-prepend option, could cause the a neighboring eBGP peer to drop the session with an update message error. The number of AS_PATH prepends are excessive (greater than 254), but can happen through normal operational configuration. Given the nature of AS_PATH, the as-path-prepend can be crafted to impact routers several AS hops away from the origin.

Limiting the number of AS numbers in the AS_PATH will not mitigate this issue on the receiving routers. Malformed Transitive Attributes are handled before the BGP logic for filtering the number of AS paths.

Credit: This issue was reported to Juniper Networks by Mark Bailey, Euan Galloway and Danny Vernals. Juniper Networks SIRT thanks them for their efforts.
Solution:
Customers are recommended to upgrade JUNOS through planned and methodical upgrade processes.

All JUNOS software releases built on or after March 12, 2009 has fixed this BGP as-path-prepend malformed attribute. This specifically includes 8.1S2, 8.5S1, 9.0S2, 9.1-20090321-SR, 9.2-20090320-SR, 9.2R4, 9.3R3, 9.4S1, 9.4R3, 9.5R1, and all subsequent releases.

PR Reference for this issue is PR 430077

A JUNOS Router can be prevented from sending excessive AS_PATHs using the following policy on all outbound BGP prefixes:

policy-options {
    policy-statement block-very-long-paths {
        from as-path too-many-hops;
        then reject;
    }

    as-path too-many-hops ".{200,}";
}


This outbound policy (or something similar) would limit the spread of the risk if a JUNOS router were to receive a BGP prefix with more than 254 AS paths.
Implementation:
How to obtain Service Releases:

Security vulnerabilities are fixed in the next available Maintenance Release of each supported JUNOS version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory notices will indicate which Maintenance and/or Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
Related Links:
CVSS Score:
7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."