CVE-2023-38802 PAN-OS: Denial-of-Service (DoS) Vulnerability in BGP Software

Palo Alto Networks Security Advisories / CVE-2023-38802

CVE-2023-38802 PAN-OS: Denial-of-Service (DoS) Vulnerability in BGP Software

Urgency MODERATE

Severity 8.2 · HIGH

Response Effort LOW

Recovery AUTOMATIC

Value Density CONCENTRATED

Attack Vector NETWORK

Attack Complexity LOW

Attack Requirements PRESENT

Automatable YES

User Interaction NONE

Product Confidentiality NONE

Product Integrity NONE

Product Availability HIGH

Privileges Required NONE

Subsequent Confidentiality NONE

Subsequent Integrity NONE

Subsequent Availability NONE

NVD JSON

Published 2023-09-13

Updated 2024-01-18

Reference PAN-227523

Discovered externally

Description

BGP software such as FRRouting FRR included as part of the PAN-OS, Prisma SD-WAN ION, and Prisma Access routing features enable a remote attacker to incorrectly reset network sessions though an invalid BGP update. This issue is applicable only to devices and appliances with BGP routing features enabled.

This issue requires the remote attacker to control at least one established BGP session that is propagated to the router to exploit it. The denial-of-service (DoS) impact on the network is dependent on the network's architecture and fault tolerant design.

Prisma Access ‘Security Processing Node Endpoint Remote Network (SP-RN/Branches)' and 'Service Connections (SCs/CANs)' nodes do not peer with the Internet and do not receive Internet routes directly unless explicitly configured by the customer. Prisma Access Nodes are commonly protected by unaffected customer-premise equipment (CPE router devices). Hence the impact of this issue on Prisma Access is limited.

Further details about this issue can be found at: https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling

Product Status

Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 11.0	< 11.0.3	>= 11.0.3
PAN-OS 10.2	< 10.2.6	>= 10.2.6
PAN-OS 10.1	< 10.1.11	>= 10.1.11
PAN-OS 9.1	< 9.1.16-h3	>= 9.1.16-h3
PAN-OS 9.0	< 9.0.17-h4	>= 9.0.17-h4
PAN-OS 8.1	< 8.1.26	>= 8.1.26
Prisma Access	Customers whose most recent software upgrade was before 09/30	Customers who have received a software upgrade or are using new software on or after 09/30
Prisma SD-WAN ION 6.2	< 6.2.3	>= 6.2.3
Prisma SD-WAN ION 6.1	< 6.1.5	>= 6.1.5
Prisma SD-WAN ION 5.6	None	All

Required Configuration for Exposure

This issue is applicable only to devices and appliances that are configured with BGP routing features enabled. You can verify whether BGP is enabled for a router by selecting it from 'Network > Virtual Routers’ or 'Network > Logical Routers’ in the web interface of PAN-OS firewalls.

To exploit this issue, the remote attacker must control at least one established BGP session that is propagated to the router.

Severity: HIGH

CVSSv4.0 Base Score: 8.2 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:C/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue targeting our customers. However, knowledge of invalid BGP attributes that trigger this issue is publicly available.

Weakness Type

CWE-754 Improper Check for Unusual or Exceptional Conditions

Solution

This issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h4, PAN-OS 9.1.16-h3, PAN-OS 10.1.11, PAN-OS 10.2.6, PAN-OS 11.0.3, and all later PAN-OS versions.

This issue is fixed in Prisma SD-WAN ION 6.1.5, Prisma SD-WAN ION 6.2.3, and all later Prisma SD-WAN ION versions. This issue does not impact Prisma SD-WAN ION 5.6 versions.

For Prisma Access customers, the upgrade to fix this issue will be available on 09/30. Customers should work with their Prisma Access contacts and support to secure a maintenance window for the on-demand software upgrade.

Please note that full Prisma Access data plane upgrades scheduled on and after 09/30 will have this fix incorporated by default. No additional action is necessary for these customers to remediate this issue.

Workarounds and Mitigations

You can prevent exploitation of this issue by inserting an unaffected BGP router—configured to drop the invalid BGP update instead of propagating it—between the attacker-originated BGP update and PAN-OS, Prisma SD-WAN ION, and Prisma Access devices. This stops the invalid BGP update from reaching the affected router.

Acknowledgments

Palo Alto Networks thanks Ben Cartwright-Cox for discovering this issue in BGP implementations.

Frequently Asked Questions

Q.Is this issue related to BGP routing CVEs CVE-2023-4481, CVE-2023-38283, and CVE-2023-40457?

Yes. As per the CVE assignment rules, each independent implementation codebase would be assigned a CVE if there is a problem in the implementation of a standard.
This issue has been assigned the following CVE IDs: CVE-2023-38802 for FRR, CVE-2023-38283 for OpenBGPd, CVE-2023-40457 for EXOS, and CVE-2023-4481 for JunOS.

Timeline

2024-01-18 Updated availability of the fix in Prisma SD-WAN ION 6.2.3

2023-12-13 Updated the ETA for the fix in Prisma SD-WAN ION 6.2

2023-12-09 Updated availability of the fix in PAN-OS 8.1.26 and PAN-OS 9.0.17-h4

2023-11-08 Updated availability of the fix in PAN-OS 11.0.3 and added CVSS 4.0 scoring

2023-11-08 A fix for this issue is being developed for PAN-OS 8.1 and PAN-OS 9.0

2023-11-02 Updated the ETA for the fix in PAN-OS 11.0.3

2023-10-24 Updated availability of the fix in Prisma SD-WAN ION 6.1.5

2023-10-16 Updated the ETA for the fix in Prisma SD-WAN ION 6.1

2023-10-11 Updated the ETA for the fix in PAN-OS 11.0.3

2023-10-04 Updated availability of the fix in PAN-OS 9.1.16-h3

2023-09-28 Updated availability of the fix in PAN-OS 10.1.11 and 10.2.6

2023-09-22 Updated guidance for Prisma Access customers

2023-09-16 Prisma SD-WAN ION is confirmed to be impacted

2023-09-15 The impact of this issue is under investigation for Prisma Access

2023-09-13 Initial Publication