CVE-2023-28967: Uninitialized Resource Vulnerability in Juniper Networks' BGP Software Leads to Denial of Service

A recent discovery reveals a vulnerability in the Border Gateway Protocol (BGP) software of Juniper Networks Junos OS and Junos OS Evolved, known as CVE-2023-28967. This vulnerability is classified as a "Use of Uninitialized Resource" and allows an unauthenticated network-based attacker to cause a Denial of Service (DoS) by crashing the Routing Protocol Daemon (rpd). The issue is triggered when specific, genuine BGP packets are sent to a device configured with BGP before a BGP session is successfully established. If these packets are continuously received, a sustained Denial of Service condition occurs. This vulnerability affects both iBGP and eBGP deployments.

The vulnerability is present in

- Juniper Networks Junos OS version 21.1R1 and later versions prior to 21.1R3-S5, 21.2R1 and later versions prior to 21.2R3-S2, 21.3R1 and later versions prior to 21.3R3-S2, 21.4 versions prior to 21.4R3, 22.1 versions prior to 22.1R3, and 22.2 versions prior to 22.2R2. It does not affect Junos OS versions before 21.1R1.
- Juniper Networks Junos OS Evolved version 21.1R1-EVO and later versions prior to 21.4R3-EVO, 22.1-EVO versions prior to 22.1R3-EVO, and 22.2-EVO versions prior to 22.2R2-EVO. It does not affect Junos OS Evolved versions before 21.1R1-EVO.

For complete protection, users are advised to install the appropriate patches for their software versions.

References

- Juniper Networks Security Advisory
- NIST National Vulnerability Database (NVD)

Exploit Details

An attacker may send genuine BGP packets containing specific values for certain fields in the packet to initiate a BGP connection before a BGP session is fully established. The affected software fails to properly initialize a resource before using it, causing rpd to crash and result in a denial of service. Below is an illustration of an example BGP packet triggering the vulnerability:

Example BGP Packet:
  - Header Marker: 16 * xFF
  - Header Length: Length of the entire BGP packet
  - Header Type: OPEN
  - OPEN Version: 4
  - OPEN ASN: (Preferably the Aggressor's ASN)
  - OPEN Hold Time: (Preferably negotiated)
  - OPEN BGP ID: (Can be set to Aggressor's IP address)
  - Optional Parameters Length: (Length of the entire optional parameters field)
  - Optional Parameters: (Include specific fields and values to trigger the crash)

This vulnerability enables an attacker to potentially send a continuous stream of such malicious BGP packets to sustain the DoS condition, affecting both iBGP and eBGP deployments.

Conclusion

CVE-2023-28967 is a serious vulnerability in Juniper Networks' BGP software that can lead to denial of service. To minimize the impact and protect against potential exploits, users should apply the appropriate patches and continuously monitor their networks for any signs of malicious activity. This use of uninitialized resources serves as a reminder of the importance of proper resource management and thorough software testing.

Timeline

Published on: 04/17/2023 22:15:00 UTC
Last modified on: 04/18/2023 03:15:00 UTC