Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2020-10 Security Bulletin: Junos OS and Junos OS Evolved: RPD crash due to BGP session flapping. (CVE-2020-1662)

0

0

Article ID: JSA11059 SECURITY_ADVISORIES Last Updated: 29 Oct 2020Version: 2.0
Product Affected:
This issue affects Junos OS 17.2, 17.3, 17.4, 18.1, 18.2, 18.2X75, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1. This issue affects Junos OS Evolved 19.4-EVO, 20.1-EVO.
Problem:

On Juniper Networks Junos OS and Junos OS Evolved devices, BGP session flapping can lead to a routing process daemon (RPD) crash and restart, limiting the attack surface to configured BGP peers.

This issue only affects devices with BGP damping in combination with accepted-prefix-limit configuration.

When the issue occurs the following messages will appear in the /var/log/messages:

rpd[6046]: %DAEMON-4-BGP_PREFIX_THRESH_EXCEEDED: XXXX (External AS x): Configured maximum accepted prefix-limit threshold(1800) exceeded for inet6-unicast nlri: 1984 (instance master)
rpd[6046]: %DAEMON-3-BGP_CEASE_PREFIX_LIMIT_EXCEEDED: 2001:x:x:x::2 (External AS x): Shutting down peer due to exceeding configured maximum accepted prefix-limit(2000) for inet6-unicast nlri: 2001 (instance master)
rpd[6046]: %DAEMON-4: bgp_rt_maxprefixes_check_common:9284: NOTIFICATION sent to 2001:x:x:x::2 (External AS x): code 6 (Cease) subcode 1 (Maximum Number of Prefixes Reached) AFI: 2 SAFI: 1 prefix limit 2000
kernel: %KERN-5: mastership_relinquish_on_process_exit: RPD crashed on master RE. Sending SIGUSR2 to chassisd (5612:chassisd) to trigger RE switchover
 

This issue affects:

Juniper Networks Junos OS:

  • 17.2R3-S3;
  • 17.3 version 17.3R3-S3 and later versions, prior to 17.3R3-S8;
  • 17.4 version 17.4R2-S4, 17.4R3 and later versions, prior to 17.4R2-S10, 17.4R3-S2;
  • 18.1 version 18.1R3-S6 and later versions, prior to 18.1R3-S10;
  • 18.2 version 18.2R3 and later versions, prior to 18.2R3-S4;
  • 18.2X75 version 18.2X75-D50, 18.2X75-D60 and later versions, prior to 18.2X75-D53, 18.2X75-D65;
  • 18.3 version 18.3R2 and later versions, prior to 18.3R2-S4, 18.3R3-S2;
  • 18.4 version 18.4R2 and later versions, prior to 18.4R2-S5, 18.4R3-S2;
  • 19.1 version 19.1R1 and later versions, prior to 19.1R2-S2, 19.1R3-S1;
  • 19.2 version 19.2R1 and later versions, prior to 19.2R1-S5, 19.2R2;
  • 19.3 versions prior to 19.3R2-S3, 19.3R3;
  • 19.4 versions prior to 19.4R1-S3, 19.4R2;
  • 20.1 versions prior to 20.1R1-S2, 20.1R2.

Juniper Networks Junos OS Evolved prior to 20.1R2-EVO.

This issue does not affect Juniper Networks Junos OS versions prior to 17.2R3-S3.
 

The example of the configuration stanza affected by this issue is as follows:

[protocols bgp damping]

used in combination with accepted-prefix-limit configuration:

[protocols bgp ... accepted-prefix-limit]

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2020-1662.

Solution:

The following software releases have been updated to resolve this specific issue:

Junos OS: 17.2R3-S4, 17.3R3-S8, 17.3R3-S9, 17.4R2-S10, 17.4R3-S2, 18.1R3-S10, 18.2R3-S4, 18.2X75-D53, 18.2X75-D65, 18.3R2-S4, 18.3R3-S2, 18.4R2-S5, 18.4R3-S2, 19.1R2-S2, 19.1R3-S1, 19.2R1-S5, 19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S3, 19.4R2, 20.1R1-S2, 20.1R2, 20.2R1, and all subsequent releases.

Junos OS Evolved: 20.1R2-EVO, and all subsequent releases.

This issue is being tracked as 1490079.

Workaround:

There are multiple workarounds that can be applied to prevent this issue:

1. Disable BGP router flap damping.

2. Replace "accepted-prefix-limit" with "prefix-limit" in the BGP configuration, for example:

   [edit protocols bgp group $ neighbor $ family $ unicast]
   + prefix-limit {
   - accepted-prefix-limit {

3. Make sure that the BGP session idle-timeout is longer than damping max-suppress time.

   In other words, by the time a peer is eligible to establish BGP session again, no previously advertised prefixes remain suppressed.

   The BGP session idle time out is configured under:

  [protocols bgp damping ... teardown <TEARDOWN_VALUE> idle-timeout <IDLE_TIMEOUT_VALUE>]

   The BGP damping max-suppress time configured under:

  [protocol bgp damping... max-suppress <MAX_SUPPRES_VALUE>]

   The <IDLE_TIMEOUT_VALUE> needs to be higher than <MAX_SUPPRES_VALUE>

Implementation:
Software releases or updates are available for download at https://www.juniper.net/support/downloads/.
Modification History:
2020-10-14: Initial Publication.
CVSS Score:
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search