It's hard to believe that despite so much manpower, time, and money dedicated to the cybersecurity industry, an entire class of vulnerability can fly under the radar. But researchers from Forescout argue that exactly this has happened with regard to flaws in Border Gateway Protocol (BGP) implementations.
Few technologies are more central to the Internet than BGP, which manages how packets of data get transmitted between networks. Its position in the global Web has earned it attention from state-level actors, the security community, and three-letter agencies.
However, most of the focus thus far, from every side, has been on the protocol itself, which is a problem. "When people go way too deep into one thing, they might leave a blind spot behind," warns Forescout researcher Daniel dos Santos, who will demonstrate several such blind spots in a presentation at next month's Black Hat USA.
Like any protocol specification, BGP requires implementations that translate the protocol into code that can run on routers. This software, like any software, is liable to contain vulnerabilities. Yet as dos Santos points out, the last time BGP software vulnerabilities were systematically analyzed on a big stage was two decades ago at Black Hat.
"So it's nice to mark this 20-year anniversary by pointing out how things have changed in the way that BGP is used," he says.
Vulnerabilities in BGP Software
In May, dos Santos and his colleagues published the results of a study into seven BGP implementations: the open source FRRouting, BIRD, and OpenBGPD; and the proprietary MikroTik RouterOS, Juniper Junos OS, Cisco IOS, and Arista EOS. Using fuzzing, or automated analysis, in which invalid inputs are used to test the software for holes, they discovered three new vulnerabilities.
CVE-2022-40302, CVE-2022-40318, and CVE-2022-43681 were each assigned "medium" CVSS scores of 6.5. All three pertained to the latest version of just one of the implementations, FRRouting, which is used in popular networking solutions such as Nvidia Cumulus. Cumulus, for its part, has been adopted by such organizations as PayPal, AthenaHealth, and Qualcomm.
At the heart of the vulnerabilities was message parsing. Typically, one would expect a protocol to check that a user is authorized to send a message before processing the message. FRRouting did the reverse, parsing before verifying. So if an attacker could have spoofed or otherwise compromised a trusted BGP peer's IP address, they could have executed a denial-of-service (DoS) attack, sending malformed packets in order to render the victim unresponsive for an indefinite amount of time.
FRRouting has since patched all three vulnerabilities.
Mitigating BGP Software Risks
In recent years, the profile of organizations that have to think about BGP has expanded.
"Originally, BGP was only used for large-scale routing — Internet service providers, Internet exchange points, things like that," dos Santos says. "But especially in the last decade, with the massive growth of data centers, BGP is also being used by organizations to do their own internal routing, simply because of the scale that has been reached," to coordinate VPNs across multiple sites or data centers, for example.
More than 317,000 Internet hosts have BGP enabled, most of them concentrated in China (around 92,000) and the US (around 57,000). Just under 2,000 run FRRouting — though not all, necessarily, with BGP enabled — and only around 630 respond to malformed BGP OPEN messages.
To mitigate any future risks that may arise from BGP software implementations, dos Santos recommends that organizations first develop a clear inventory of the devices running on their networks and the software running on those devices, then focus on always patching as soon as possible.
Because at the end of the day, dos Santos isn't overly worried about any one vulnerability, or even three. It's that "organizations have a much larger attack surface than what they're really paying enough attention to," he says. "That includes IoT, operational technology, and now network infrastructure, including BGP."