A serious flaw affecting several major Border Gateway Protocol (BGP) implementations can be exploited to cause prolonged internet outages, but some vendors are not patching it, a researcher warned on Tuesday.
The issue was discovered by Ben Cartwright-Cox, the owner of BGP.Tools, a company that provides monitoring services to help organizations quickly identify and address BGP-related issues.
BGP is the gateway protocol used for exchanging routing information between autonomous systems on the internet. BGP hijacking and leaks can be used to redirect users to arbitrary sites or cause severe disruptions.
BGP exchanges UPDATE messages to advertise routing information, including IP ranges and an attribute that provides additional context.
The problem identified by Cartwright-Cox is related to these attributes and the ability of BGP implementations to handle them. Specifically, if a router does not understand an attribute, it may pass it along without impact, but if it does understand it and the attribute is corrupted, an error can be triggered and the BGP session is shut down, preventing the affected network from communicating with the rest of the internet.
“With some reasonably educated crafting of a payload, someone could design a BGP UPDATE that ‘travels’ along the internet unharmed, until it reaches a targeted vendor and results in that vendor resetting sessions. If that data comes down the BGP connections that are providing wider internet access for the network, this could result in a network being pulled offline from the internet,” Cartwright-Cox explained in a blog post.
“This attack is not even a one-off ‘hit-and-run’, as the ‘bad’ route is still stored in the peer router; when the session restarts the victim router will reset again the moment the route with the crafted payload is transmitted again. This has the potential to cause prolonged internet or peering outages,” the researcher added.
This is not just a theoretical problem. Cartwright-Cox started researching the issue after a small Brazilian network announced an internet route with a corrupt attribute in early June, causing serious disruptions in other networks.
The expert has created a basic fuzzer to test whether various BGP implementations are impacted. He found that MikroTik, Ubiquiti, Arista, Huawei, Cisco and Bird are not affected.
His tests showed that Juniper Networks’ Junos OS, Nokia’s SR-OS, Extreme Networks’ EXOS, OpenBSD’s OpenBGPd, and FRRouting are impacted.
Cartwright-Cox reported his findings to impacted vendors, but said only OpenBSD (CVE-2023-38283) rushed to create a patch. Juniper and FRR developers have assigned the CVE identifiers CVE-2023-4481 and CVE-2023-38802, respectively. Juniper has published an advisory informing customers about the availability of patches. Nokia and Extreme apparently do not plan on addressing the issue.
However, there are steps that organizations can take to prevent potential exploitation, and Cartwright-Cox reached out to some of the impacted organizations himself — advising them to implement mitigations — when seeing that vendors refused to alert customers.
The researcher described the vendor disclosure process as time-consuming and frustrating.
“If the goal of reporting security flaws is to reduce harm to their customers, I’m not convinced that reporting problems to vendors has enough of an effective impact to be worth doing, vs the loss of personal time and sanity,” Cartwright-Cox said.
*updated to clarify that Juniper has released patches and added link to Juniper advisory