CVE-2020-1662
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
On Juniper Networks Junos OS and Junos OS Evolved devices, BGP session flapping can lead to a routing process daemon (RPD) crash and restart, limiting the attack surface to configured BGP peers. This issue only affects devices with BGP damping in combination with accepted-prefix-limit configuration. When the issue occurs the following messages will appear in the /var/log/messages: rpd[6046]: %DAEMON-4-BGP_PREFIX_THRESH_EXCEEDED: XXXX (External AS x): Configured maximum accepted prefix-limit threshold(1800) exceeded for inet6-unicast nlri: 1984 (instance master) rpd[6046]: %DAEMON-3-BGP_CEASE_PREFIX_LIMIT_EXCEEDED: 2001:x:x:x::2 (External AS x): Shutting down peer due to exceeding configured maximum accepted prefix-limit(2000) for inet6-unicast nlri: 2001 (instance master) rpd[6046]: %DAEMON-4: bgp_rt_maxprefixes_check_common:9284: NOTIFICATION sent to 2001:x:x:x::2 (External AS x): code 6 (Cease) subcode 1 (Maximum Number of Prefixes Reached) AFI: 2 SAFI: 1 prefix limit 2000 kernel: %KERN-5: mastership_relinquish_on_process_exit: RPD crashed on master RE. Sending SIGUSR2 to chassisd (5612:chassisd) to trigger RE switchover This issue affects: Juniper Networks Junos OS: 17.2R3-S3; 17.3 version 17.3R3-S3 and later versions, prior to 17.3R3-S8; 17.4 version 17.4R2-S4, 17.4R3 and later versions, prior to 17.4R2-S10, 17.4R3-S2; 18.1 version 18.1R3-S6 and later versions, prior to 18.1R3-S10; 18.2 version 18.2R3 and later versions, prior to 18.2R3-S4; 18.2X75 version 18.2X75-D50, 18.2X75-D60 and later versions, prior to 18.2X75-D53, 18.2X75-D65; 18.3 version 18.3R2 and later versions, prior to 18.3R2-S4, 18.3R3-S2; 18.4 version 18.4R2 and later versions, prior to 18.4R2-S5, 18.4R3-S2; 19.1 version 19.1R1 and later versions, prior to 19.1R2-S2, 19.1R3-S1; 19.2 version 19.2R1 and later versions, prior to 19.2R1-S5, 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S3, 19.4R2; 20.1 versions prior to 20.1R1-S2, 20.1R2. Juniper Networks Junos OS Evolved prior to 20.1R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 17.2R3-S3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 17.2R3-S3 | affected |
| Juniper Networks | Junos OS | unspecified < 17.2R3-S3 | unaffected |
| Juniper Networks | Junos OS | 17.3R3-S3 < 17.3* | affected |
| Juniper Networks | Junos OS | 17.4R2-S4, 17.4R3 < 17.4* | affected |
| Juniper Networks | Junos OS | 18.1R3-S6 < 18.1* | affected |
| Juniper Networks | Junos OS | 18.2R3 < 18.2* | affected |
| Juniper Networks | Junos OS | 18.2X75-D50, 18.2X75-D60 < 18.2X75* | affected |
| Juniper Networks | Junos OS | 18.3R2 < 18.3* | affected |
| Juniper Networks | Junos OS | 18.4R2 < 18.4* | affected |
| Juniper Networks | Junos OS | 19.1R1 < 19.1* | affected |
| Juniper Networks | Junos OS | 19.2R1 < 19.2* | affected |
| Juniper Networks | Junos OS | 19.3 < 19.3R2-S3, 19.3R3 | affected |
| Juniper Networks | Junos OS | 19.4 < 19.4R1-S3, 19.4R2 | affected |
| Juniper Networks | Junos OS | 20.1 < 20.1R1-S2, 20.1R2 | affected |
| Juniper Networks | Junos OS Evolved | 19.4-EVO | affected |
| Juniper Networks | Junos OS Evolved | 20.1-EVO < 20.1R2-EVO | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
Workarounds
There are multiple workarounds that can be applied to prevent this issue:
Disable BGP router flap damping.
Replace "accepted-prefix-limit" with "prefix-limit" in the BGP configuration, for example: [edit protocols bgp group ${GRP} neighbor ${NEI} family ${AFI} unicast]
prefix-limit {
accepted-prefix-limit {
- Make sure that the BGP session idle-timeout is longer than damping max-suppress time. In other words, by the time a peer is eligible to establish BGP session again, no previously advertised prefixes remain suppressed. The BGP session idle time out is configured under: [protocols bgp damping … teardown <TEARDOWN_VALUE> idle-timeout <IDLE_TIMEOUT_VALUE>] The BGP damping max-suppress time configured under: [protocol bgp damping… max-suppress <MAX_SUPPRES_VALUE>] The <IDLE_TIMEOUT_VALUE> needs to be higher than <MAX_SUPPRES_VALUE>
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.