Vulnerability Description
The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21 and 25). NOTE: the vendor disputes this because it is "evaluating support for RFC 7606 as a future feature" and believes that "customers that have chosen to not require or implement RFC 7606 have done so willingly and with knowledge of what is needed to defend against these types of attacks."
Related Weaknesses (CWE)
References
- https://blog.benjojo.co.uk/asset/JgH8G5duO1
- https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
- https://supportdocs.extremenetworks.com/support/documentation/extremexos-32-5/
FAQ
What is CVE-2023-40457?
CVE-2023-40457 is a documented vulnerability. The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attrib...
How severe is CVE-2023-40457?
CVSS scoring is not yet available for CVE-2023-40457. Check NVD for updates.
Is there a patch for CVE-2023-40457?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.