CVE-2017-10618

Summary

When the 'bgp-error-tolerance' feature â€" designed to help mitigate remote session resets from malformed path attributes â€" is enabled, a BGP UPDATE containing a specifically crafted set of transitive attributes can cause the RPD routing process to crash and restart. Devices with BGP enabled that do not have 'bgp-error-tolerance' configured are not vulnerable to this issue. Affected releases are Juniper Networks Junos OS 13.3 prior to 13.3R10-S2; 14.1 prior to 14.1R8-S4, 14.1R9; 14.1X50 prior to 14.1X50-D185; 14.1X53 prior to 14.1X53-D45, 14.1X53-D50; 14.2 prior to 14.2R7-S7, 14.2R8; 15.1 prior to 15.1F5-S8, 15.1F6-S7, 15.1R5-S6, 15.1R6-S2, 15.1R7; 15.1X49 prior to 15.1X49-D100; 15.1X53 prior to 15.1X53-D64, 15.1X53-D70; 16.1 prior to 16.1R3-S4, 16.1R4-S3, 16.1R5; 16.2 prior to 16.2R1-S5, 16.2R2; 17.1 prior to 17.1R1-S3, 17.1R2; 17.2 prior to 17.2R1-S2, 17.2R2; 17.2X75 prior to 17.2X75-D50. No other Juniper Networks products or platforms are affected by this issue.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS13.3 prior to 13.3R10-S2affected
Juniper NetworksJunos OS14.1 prior to 14.1R8-S4, 14.1R9affected
Juniper NetworksJunos OS14.1X50 prior to 14.1X50-D185affected
Juniper NetworksJunos OS14.1X53 prior to 14.1X53-D45, 14.1X53-D50affected
Juniper NetworksJunos OS14.2 prior to 14.2R7-S7, 14.2R8affected
Juniper NetworksJunos OS15.1 prior to 15.1F5-S8, 15.1F6-S7, 15.1R5-S6, 15.1R6-S2, 15.1R7affected
Juniper NetworksJunos OS15.1X49 prior to 15.1X49-D100affected
Juniper NetworksJunos OS15.1X53 prior to 15.1X53-D64, 15.1X53-D70affected
Juniper NetworksJunos OS16.1 prior to 16.1R3-S4, 16.1R4-S3, 16.1R5affected
Juniper NetworksJunos OS16.2 prior to 16.2R1-S5, 16.2R2affected
Juniper NetworksJunos OS17.1 prior to 17.1R1-S3, 17.1R2affected
Juniper NetworksJunos OS17.2 prior to 17.2R1-S2, 17.2R2affected
Juniper NetworksJunos OS17.2X75 prior to 17.2X75-D50affected

Weaknesses

  • Denial of service

Workarounds

If 'bgp-error-tolerance' is enabled, disabling this option under 'protocols bgp' will mitigate this issue.

Note that when the error handling feature is off, the router is vulnerable to session resets from malformed path attributes. However, this is RFC 4271 compliant behavior.

ADP Enrichment

CVE Program Container

Additional References

References