CVE-2020-1662

Summary

On Juniper Networks Junos OS and Junos OS Evolved devices, BGP session flapping can lead to a routing process daemon (RPD) crash and restart, limiting the attack surface to configured BGP peers. This issue only affects devices with BGP damping in combination with accepted-prefix-limit configuration. When the issue occurs the following messages will appear in the /var/log/messages: rpd[6046]: %DAEMON-4-BGP_PREFIX_THRESH_EXCEEDED: XXXX (External AS x): Configured maximum accepted prefix-limit threshold(1800) exceeded for inet6-unicast nlri: 1984 (instance master) rpd[6046]: %DAEMON-3-BGP_CEASE_PREFIX_LIMIT_EXCEEDED: 2001:x:x:x::2 (External AS x): Shutting down peer due to exceeding configured maximum accepted prefix-limit(2000) for inet6-unicast nlri: 2001 (instance master) rpd[6046]: %DAEMON-4: bgp_rt_maxprefixes_check_common:9284: NOTIFICATION sent to 2001:x:x:x::2 (External AS x): code 6 (Cease) subcode 1 (Maximum Number of Prefixes Reached) AFI: 2 SAFI: 1 prefix limit 2000 kernel: %KERN-5: mastership_relinquish_on_process_exit: RPD crashed on master RE. Sending SIGUSR2 to chassisd (5612:chassisd) to trigger RE switchover This issue affects: Juniper Networks Junos OS: 17.2R3-S3; 17.3 version 17.3R3-S3 and later versions, prior to 17.3R3-S8; 17.4 version 17.4R2-S4, 17.4R3 and later versions, prior to 17.4R2-S10, 17.4R3-S2; 18.1 version 18.1R3-S6 and later versions, prior to 18.1R3-S10; 18.2 version 18.2R3 and later versions, prior to 18.2R3-S4; 18.2X75 version 18.2X75-D50, 18.2X75-D60 and later versions, prior to 18.2X75-D53, 18.2X75-D65; 18.3 version 18.3R2 and later versions, prior to 18.3R2-S4, 18.3R3-S2; 18.4 version 18.4R2 and later versions, prior to 18.4R2-S5, 18.4R3-S2; 19.1 version 19.1R1 and later versions, prior to 19.1R2-S2, 19.1R3-S1; 19.2 version 19.2R1 and later versions, prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2; 20.1 versions prior to 20.1R1-S2, 20.1R2. Juniper Networks Junos OS Evolved prior to 20.1R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R3-S3.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS17.2R3-S3affected
Juniper NetworksJunos OSunspecified < 17.2R3-S3unaffected
Juniper NetworksJunos OS17.3R3-S3 < 17.3*affected
Juniper NetworksJunos OS17.4R2-S4, 17.4R3 < 17.4*affected
Juniper NetworksJunos OS18.1R3-S6 < 18.1*affected
Juniper NetworksJunos OS18.2R3 < 18.2*affected
Juniper NetworksJunos OS18.2X75-D50, 18.2X75-D60 < 18.2X75*affected
Juniper NetworksJunos OS18.3R2 < 18.3*affected
Juniper NetworksJunos OS18.4R2 < 18.4*affected
Juniper NetworksJunos OS19.1R1 < 19.1*affected
Juniper NetworksJunos OS19.2R1 < 19.2*affected
Juniper NetworksJunos OS19.3 < 19.3R2-S3, 19.3R3affected
Juniper NetworksJunos OS19.4 < 19.4R1-S3, 19.4R2affected
Juniper NetworksJunos OS20.1 < 20.1R1-S2, 20.1R2affected
Juniper NetworksJunos OS Evolved19.4-EVOaffected
Juniper NetworksJunos OS Evolved20.1-EVO < 20.1R2-EVOaffected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

Workarounds

There are multiple workarounds that can be applied to prevent this issue:

  1. Disable BGP router flap damping.

  2. Replace "accepted-prefix-limit" with "prefix-limit" in the BGP configuration, for example: [edit protocols bgp group ${GRP} neighbor ${NEI} family ${AFI} unicast]

  •      prefix-limit {
    
  •     accepted-prefix-limit {
    
  1. Make sure that the BGP session idle-timeout is longer than damping max-suppress time. In other words, by the time a peer is eligible to establish BGP session again, no previously advertised prefixes remain suppressed. The BGP session idle time out is configured under: [protocols bgp damping … teardown <TEARDOWN_VALUE> idle-timeout <IDLE_TIMEOUT_VALUE>] The BGP damping max-suppress time configured under: [protocol bgp damping… max-suppress <MAX_SUPPRES_VALUE>] The <IDLE_TIMEOUT_VALUE> needs to be higher than <MAX_SUPPRES_VALUE>

ADP Enrichment

CVE Program Container

Additional References

References