Cyber security researchers at Forescout Vedere Labs have discovered three new vulnerabilities in an implementation of the Border Gateway Protocol (BGP) used a number of popular Internet routing systems.
The affected software include:
- FRRouting
- BIRD
- OpenBGPd
- Miktotik
- RouterOS
- Juniper JunOS
- Cisco IOS
- Arista EOS
The vulnerabilities could be exploited by malicious threat actors to achieve a Distributed Denial of Service (DDoS) by causing the affected device to drop all its BGP sessions and routing tables, thus rendering that device unresponsive. The resulting effect would be that the device would not be able to route traffic thus affecting any peers connected to it.
The vulnerabilities are detailed below –
- CVE-2022-40302 (CVSS score: 6.5) – Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
- CVE-2022-40318 (CVSS score: 6.5) – Out-of-bounds read when processing a malformed BGP OPEN message with an Extended Optional Parameters Length option.
- CVE-2022-43681 (CVSS score: 6.5) – Out-of-bounds read when processing a malformed BGP OPEN message that abruptly ends with the option length octet.
What is BGP?
BGP – The Border Gateway Protocol, is a routing protocol used to exchange routing information between different networks (known as Autonomous Systems (AS)) on the Internet.
Classed as a path vector protocol, BGP makes routing decisions based on the path, or sequence of autonomous systems, that a packet must traverse to reach its destination.
BGP is used to exchange information about the availability and quality of network routes between autonomous systems, and allows routers to select the best path for a packet based on a set of configurable rules, such as the shortest path, lowest cost, or highest bandwidth.
BGP uses rulesets to determine the best path for a packet to take through the network. When a BGP router receives information about a new route, it will compare that route to its existing routing table to determine whether the new route is a better path. If the new route is better, the BGP router will update its routing table and begin forwarding packets along the new path.
One important feature of BGP is its ability to support policy-based routing. This allows network administrators to configure BGP to prefer certain paths over others based on specific criteria, such as network performance, cost, or other factors. Additionally, BGP supports the use of multiple paths for a single destination, which allows for load balancing and redundancy in case of network failures.
BGP plays a critical role in ensuring the stability and reliability of the Internet. However, misconfigurations or the malicious use of BGP can lead to routing problems, such as traffic hijacking or blackholing, which can have significant consequences for Internet users and service providers.
YouTube / Pakistan BGP incident
In 2008, an Autonomous System in Pakistan made a mistake when configuring BGP and effectively wiped YouTube off the Internet for a few hours.
Pakistan’s government ordered YouTube to be blocked for Pakistan citizens because of offensive material, (Specifically a video depicting the cartoons about the Prophet Muhammad) being available on the site.
The order to block access to YouTube came from the highest levels of the government and was passed along to Pakistan’s Electronic Media Regulatory Authority and then to Pakistan’s telecom authority, which in turn issued the formal order to the Internet providers.
BGP announcement
The easiest way to block access to an Autonomous System for an entire country is for that countries Networks to generate BGP downstream announcements to all its customers that they were the preferred route for access to that specific network, and then simply drop (blackhole) all the packets. This is what the network admins were trying to do in this case, but they accidentally made a BGP upstream announcement instead.
Pakistan Telecom issued a BGP update stating that they were the correct route for 256 addresses in YouTube’s 208.65.153.0 network space and sent this update to their upstream network providers who in turn announced it to the rest of the Internet – within a matter of seconds traffic started flowing to the wrong place.
The YouTube video below shows Internet traffic flow at the time of this incident.