CVE-2023-45886 – This vulnerability in IP Infusion ZebOS BGP dae... (How to Fix)

Q: What is the severity of CVE-2023-45886?

CVE-2023-45886 has a CVSS score of 7.5 (HIGH). This vulnerability in IP Infusion ZebOS BGP daemon allows remote attackers to cause denial of service by sending specially crafted BGP update messages with malformed attributes. It affects network devices running vulnerable versions of ZebOS that process BGP traffic. The attack can disrupt BGP routing and network connectivity.

📋 TL;DR

This vulnerability in IP Infusion ZebOS BGP daemon allows remote attackers to cause denial of service by sending specially crafted BGP update messages with malformed attributes. It affects network devices running vulnerable versions of ZebOS that process BGP traffic. The attack can disrupt BGP routing and network connectivity.

💻 Affected Systems

Products:

IP Infusion ZebOS

Versions: Through 7.10.6

Operating Systems: Various (embedded in network devices)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any system running ZebOS with BGP enabled and processing external BGP updates. Commonly found in routers, switches, and other network infrastructure.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete BGP daemon crash leading to routing table loss, network partition, and extended service disruption requiring manual intervention to restore.

🟠

Likely Case

BGP daemon crash causing temporary routing disruption until process restarts, potentially causing route flapping and packet loss.

🟢

If Mitigated

Limited impact with proper network segmentation and BGP session filtering, potentially causing only isolated session resets.

🌐 Internet-Facing: HIGH - BGP sessions are typically internet-facing and accept updates from external peers, making them directly exposed.

🏢 Internal Only: MEDIUM - Internal BGP sessions could also be exploited if attacker gains internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed BGP update messages, which can be done with standard BGP tools. The vulnerability is in error handling of malformed attributes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 7.10.6

Vendor Advisory: https://www.ipinfusion.com/doc_prod_cat/zebos/

Restart Required: Yes

Instructions:

1. Contact IP Infusion for updated ZebOS version. 2. Backup current configuration. 3. Install updated ZebOS software. 4. Restart BGP daemon or entire device. 5. Verify BGP sessions re-establish properly.

🔧 Temporary Workarounds

BGP Session Filtering

all

Implement BGP route filtering to reject updates from untrusted peers and limit accepted attributes

configure router bgp
neighbor <peer_ip> route-map FILTER_IN in
route-map FILTER_IN deny 10
match as-path 1
ip as-path access-list 1 deny .*

BGP Maximum Prefix Limiting

all

Limit number of prefixes accepted from peers to reduce attack surface

configure router bgp
neighbor <peer_ip> maximum-prefix 100

🧯 If You Can't Patch

Implement strict BGP peer authentication (MD5/TCP-AO) and only accept updates from trusted, authenticated peers
Deploy network monitoring with anomaly detection for BGP traffic patterns and implement rate limiting on BGP sessions

🔍 How to Verify

Check if Vulnerable:

Check ZebOS version: show version | include ZebOS. If version is 7.10.6 or earlier, system is vulnerable.

Check Version:

show version | include ZebOS

Verify Fix Applied:

Verify ZebOS version is later than 7.10.6 and monitor BGP daemon stability under normal traffic loads.

📡 Detection & Monitoring

Log Indicators:

BGP daemon crash logs
Unexpected BGP session resets
Error messages about malformed BGP attributes

Network Indicators:

Unusual BGP update patterns
Multiple BGP session resets from same peer
Malformed BGP attribute packets in captures

SIEM Query:

source="bgpd" AND ("crash" OR "restart" OR "malformed attribute")

📊 Metadata

CVE ID: CVE-2023-45886

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: November 21, 2023

Last Updated: November 21, 2024

🔗 References

https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling Exploit
https://my.f5.com/manage/s/article/K000137315 Third Party Advisory
https://www.ipinfusion.com/doc_prod_cat/zebos/ Product
https://www.kb.cert.org/vuls/id/347067 Third Party Advisory,US Government Resource
https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling Exploit
https://my.f5.com/manage/s/article/K000137315 Third Party Advisory
https://www.ipinfusion.com/doc_prod_cat/zebos/ Product
https://www.kb.cert.org/vuls/id/347067 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Global Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Local Traffic Manager by F5

Big Ip Next by F5

Big Ip Next Cloud Native Network Functions by F5

Big Ip Next Service Proxy For Kubernetes by F5

Zebos by Ipinfusion

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

BGP Session Filtering

BGP Maximum Prefix Limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export