Vigil@nce: OpenBSD, denial of service of bgpd
February 2009 by
SYNTHESIS OF THE VULNERABILITY
An attacker can send a BGP message with a long AS path, in order
to stop the bgpd daemon.
Gravity: 2/4
Consequences: denial of service of service
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/02/2009
IMPACTED PRODUCTS
– OpenBSD
DESCRIPTION OF THE VULNERABILITY
The BGP protocol is used to maintain routes on a large IP network.
Each provider network has an ASN (Autonomous System Number), and
BGP establishes the list of paths which can be taken to reach
another AS. For example, to reach the AS 5:
– path a: AS 1, AS 2, AS 3, AS 5
– path b: AS 1, AS 4, AS 5 (shorter, and thus better)
The as_path attribute of a BGP packet indicates the list of ASN
already traversed.
When the bgpd daemon of OpenBSD receives a packet, it thus have to
complete the as_path attribute. In order to do so, the
aspath_prepend() function of the usr.sbin/bgpd/rde_attr.c file
computes the required size. However, when the number of ASN in a
path exceeds 255, the size is truncated, which creates an error
and stops the daemon.
An attacker can therefore send a BGP message with a long AS path,
in order to stop the bgpd daemon.
CHARACTERISTICS
Identifiers: BID-33828, VIGILANCE-VUL-8483
http://vigilance.fr/vulnerability/OpenBSD-denial-of-service-of-bgpd-8483