CVE-2023-40457
Vulnerability from cvelistv5
Published
2024-11-10 00:00
Modified
2024-11-12 17:23
Severity ?
Summary
The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is "evaluating support for RFC 7606 as a future feature" and believes that "customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks."
References
cve@mitre.orghttps://blog.benjojo.co.uk/asset/JgH8G5duO1
cve@mitre.orghttps://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
cve@mitre.orghttps://supportdocs.extremenetworks.com/support/documentation/extremexos-32-5/
Impacted products
n/an/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:o:extremenetworks:extremeos:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "extremeos",
            "vendor": "extremenetworks",
            "versions": [
              {
                "status": "affected",
                "version": "30.7.1.1"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-40457",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T17:18:34.173848Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-209",
                "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T17:23:10.854Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is \"evaluating support for RFC 7606 as a future feature\" and believes that \"customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-10T23:53:50.333176",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://supportdocs.extremenetworks.com/support/documentation/extremexos-32-5/"
        },
        {
          "url": "https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling"
        },
        {
          "url": "https://blog.benjojo.co.uk/asset/JgH8G5duO1"
        }
      ],
      "tags": [
        "disputed"
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-40457",
    "datePublished": "2024-11-10T00:00:00",
    "dateReserved": "2023-08-14T00:00:00",
    "dateUpdated": "2024-11-12T17:23:10.854Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-40457\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-11-11T00:15:13.817\",\"lastModified\":\"2024-11-12T18:35:01.990\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[{\"sourceIdentifier\":\"cve@mitre.org\",\"tags\":[\"disputed\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is \\\"evaluating support for RFC 7606 as a future feature\\\" and believes that \\\"customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks.\\\"\"},{\"lang\":\"es\",\"value\":\"El daemon BGP en Extreme Networks ExtremeXOS (tambi\u00e9n conocido como EXOS) 30.7.1.1 permite que un atacante (que no est\u00e1 en una red conectada directamente) provoque una denegaci\u00f3n de servicio (reinicio de sesi\u00f3n BGP) debido a un manejo incorrecto de errores de atributos BGP (para los atributos 21 y 25). NOTA: el proveedor lo niega porque est\u00e1 \\\"evaluando la compatibilidad con RFC 7606 como una caracter\u00edstica futura\\\" y cree que \\\"los clientes que han optado por no requerir o implementar RFC 7606 lo han hecho voluntariamente y con conocimiento de lo que se necesita para defenderse contra este tipo de ataques\\\".\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-209\"}]}],\"references\":[{\"url\":\"https://blog.benjojo.co.uk/asset/JgH8G5duO1\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://supportdocs.extremenetworks.com/support/documentation/extremexos-32-5/\",\"source\":\"cve@mitre.org\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.