Route to bugs: Analyzing the security of BGP message parsing

Presented at DEF CON 31 (2023), Aug. 11, 2023, 10:30 a.m. (45 minutes).

This talk discusses an overlooked aspect of Border Gateway Protocol (BGP) security: vulnerabilities in how its implementations parse BGP messages. Software implementing BGP is relied upon for Internet routing and for functions such as internal routing in large data centers. A lot of (deserved) attention is given to aspects of BGP protocol security discussed in RFC4272, which can be mitigated with the use of RPKI and BGPsec. However, recent BGP incidents show that it might take only a malformed packet to cause a large disruption. We will present a quantitative analysis of previous vulnerabilities in both open and closed-source popular BGP implementations and focus the talk on a new analysis of seven modern implementations. Main findings in this research include: 1. Some implementations process parts of OPEN messages before validating the BGP ID and ASN fields of the originating router, which means that only TCP spoofing is required to inject malformed packets. 2. Three new vulnerabilities in a leading open-source implementation, which could be exploited to achieve denial of service on vulnerable peers, thus dropping all BGP sessions and routing tables and rendering the peer unresponsive. These vulnerabilities were found using a fuzzer we developed and will release to the community. REFERENCES: * https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf * https://datatracker.ietf.org/doc/html/rfc4272 * https://www.oecd.org/publications/routing-security-40be69c8-en.htm * https://www.zdnet.com/article/internet-experiment-goes-wrong-takes-down-a-bunch-of-linux-routers/

Presenters:

  • Daniel dos Santos - Head of Security Research at Forescout
    Daniel dos Santos is the Head of Security Research at Forescout's Vedere Labs, where he leads a team of researchers that identifies new vulnerabilities and monitors active threats. He holds a PhD in computer science, has published over 35 peer-reviewed papers on cybersecurity, has found or disclosed hundreds of CVEs and is a frequent speaker at security conferences.
  • Simon Guiot - Security Researcher at Forescout
    Simon Guiot has experience in software engineering and software vulnerability management. He is currently a Security Researcher at Forescout Technologies doing vulnerability and threat research.

Links:

Similar Presentations: