CVE-2023-40457 (GCVE-0-2023-40457)

Vulnerability from cvelistv5 – Published: 2024-11-10 00:00 – Updated: 2024-11-12 17:23
VLAI?
Summary
The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is "evaluating support for RFC 7606 as a future feature" and believes that "customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks."
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:extremenetworks:extremeos:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "extremeos",
            "vendor": "extremenetworks",
            "versions": [
              {
                "status": "affected",
                "version": "30.7.1.1"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-40457",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T17:18:34.173848Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-209",
                "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T17:23:10.854Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is \"evaluating support for RFC 7606 as a future feature\" and believes that \"customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-10T23:53:50.333176",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://supportdocs.extremenetworks.com/support/documentation/extremexos-32-5/"
        },
        {
          "url": "https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling"
        },
        {
          "url": "https://blog.benjojo.co.uk/asset/JgH8G5duO1"
        }
      ],
      "tags": [
        "disputed"
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-40457",
    "datePublished": "2024-11-10T00:00:00",
    "dateReserved": "2023-08-14T00:00:00",
    "dateUpdated": "2024-11-12T17:23:10.854Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "cveTags": "[{\"sourceIdentifier\": \"cve@mitre.org\", \"tags\": [\"disputed\"]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is \\\"evaluating support for RFC 7606 as a future feature\\\" and believes that \\\"customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks.\\\"\"}, {\"lang\": \"es\", \"value\": \"El daemon BGP en Extreme Networks ExtremeXOS (tambi\\u00e9n conocido como EXOS) 30.7.1.1 permite que un atacante (que no est\\u00e1 en una red conectada directamente) provoque una denegaci\\u00f3n de servicio (reinicio de sesi\\u00f3n BGP) debido a un manejo incorrecto de errores de atributos BGP (para los atributos 21 y 25). NOTA: el proveedor lo niega porque est\\u00e1 \\\"evaluando la compatibilidad con RFC 7606 como una caracter\\u00edstica futura\\\" y cree que \\\"los clientes que han optado por no requerir o implementar RFC 7606 lo han hecho voluntariamente y con conocimiento de lo que se necesita para defenderse contra este tipo de ataques\\\".\"}]",
      "id": "CVE-2023-40457",
      "lastModified": "2024-11-12T18:35:01.990",
      "published": "2024-11-11T00:15:13.817",
      "references": "[{\"url\": \"https://blog.benjojo.co.uk/asset/JgH8G5duO1\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://supportdocs.extremenetworks.com/support/documentation/extremexos-32-5/\", \"source\": \"cve@mitre.org\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-209\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-40457\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-11-11T00:15:13.817\",\"lastModified\":\"2024-11-12T18:35:01.990\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"disputed\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is \\\"evaluating support for RFC 7606 as a future feature\\\" and believes that \\\"customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks.\\\"\"},{\"lang\":\"es\",\"value\":\"El daemon BGP en Extreme Networks ExtremeXOS (tambi\u00e9n conocido como EXOS) 30.7.1.1 permite que un atacante (que no est\u00e1 en una red conectada directamente) provoque una denegaci\u00f3n de servicio (reinicio de sesi\u00f3n BGP) debido a un manejo incorrecto de errores de atributos BGP (para los atributos 21 y 25). NOTA: el proveedor lo niega porque est\u00e1 \\\"evaluando la compatibilidad con RFC 7606 como una caracter\u00edstica futura\\\" y cree que \\\"los clientes que han optado por no requerir o implementar RFC 7606 lo han hecho voluntariamente y con conocimiento de lo que se necesita para defenderse contra este tipo de ataques\\\".\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-209\"}]}],\"references\":[{\"url\":\"https://blog.benjojo.co.uk/asset/JgH8G5duO1\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://supportdocs.extremenetworks.com/support/documentation/extremexos-32-5/\",\"source\":\"cve@mitre.org\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-40457\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-12T17:18:34.173848Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:o:extremenetworks:extremeos:*:*:*:*:*:*:*:*\"], \"vendor\": \"extremenetworks\", \"product\": \"extremeos\", \"versions\": [{\"status\": \"affected\", \"version\": \"30.7.1.1\"}], \"defaultStatus\": \"unknown\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-209\", \"description\": \"CWE-209 Generation of Error Message Containing Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-12T17:23:05.822Z\"}}], \"cna\": {\"tags\": [\"disputed\"], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://supportdocs.extremenetworks.com/support/documentation/extremexos-32-5/\"}, {\"url\": \"https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling\"}, {\"url\": \"https://blog.benjojo.co.uk/asset/JgH8G5duO1\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is \\\"evaluating support for RFC 7606 as a future feature\\\" and believes that \\\"customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks.\\\"\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2024-11-10T23:53:50.333176\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-40457\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-12T17:23:10.854Z\", \"dateReserved\": \"2023-08-14T00:00:00\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2024-11-10T00:00:00\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.