CVE-2023-45886 - OpenCVE

The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
F5	Big-ip Next Service Proxy For Kubernetes Big-ip Next Cloud-native Network Functions Big-ip Next Big-ip Global Traffic Manager Big-ip Local Traffic Manager
Ipinfusion	Zebos

Configuration 1 [-]

cpe:2.3:a:f5:big-ip_next:20.0.1:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:f5:big-ip_next_cloud-native_network_functions:*:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::

Configuration 5 [-]

OR	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::
	cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::

Configuration 6 [-]

cpe:2.3:a:ipinfusion:zebos:*:*:*:*:*:*:*:*

References

Link	Resource
https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling	Exploit
https://my.f5.com/manage/s/article/K000137315	Third Party Advisory
https://www.ipinfusion.com/doc_prod_cat/zebos/	Product
https://www.kb.cert.org/vuls/id/347067	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-11-21T00:00:00

Updated: 2023-11-21T05:56:48.927497

Reserved: 2023-10-15T00:00:00

Link: CVE-2023-45886

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-21T06:15:42.450

Modified: 2023-11-29T17:09:53.043

Link: CVE-2023-45886

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_next:20.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "969C4F14-F6D6-46D6-B348-FC1463877680", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_next_service_proxy_for_kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "41AD5040-1250-45F5-AB63-63F333D49BCC", "versionEndIncluding": "1.8.2", "versionStartIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_next_cloud-native_network_functions:*:*:*:*:*:*:*:*", "matchCriteriaId": "79F284A9-C17F-4230-B1B9-2F5F96784ABB", "versionEndIncluding": "1.1.1", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "0360F76D-E75E-4B05-A294-B47012323ED9", "versionEndIncluding": "13.1.5", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A4607BF-41AC-4E84-A110-74E085FF0445", "versionEndIncluding": "14.1.5", "versionStartIncluding": "14.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "441CC945-7CA3-49C0-AE10-94725301E31D", "versionEndIncluding": "15.1.10", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "46BA8E8A-6ED5-4FB2-8BBC-586AA031085A", "versionEndIncluding": "16.1.4", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "820076A8-F163-4471-8B1E-5290BD1D6D93", "versionEndIncluding": "17.1.1", "versionStartIncluding": "17.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6018B01-048C-43BB-A78D-66910ED60CA9", "versionEndIncluding": "13.1.5", "versionStartIncluding": "13.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A6A5686-5A8B-45D5-9165-BC99D2CCAC47", "versionEndIncluding": "14.1.5", "versionStartIncluding": "14.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D2A121F-5BD2-4263-8ED3-1DDE25B5C306", "versionEndIncluding": "15.1.10", "versionStartIncluding": "15.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A4F7BAD-3EDD-4DE0-AAB7-DE5ACA34DD79", "versionEndIncluding": "16.1.4", "versionStartIncluding": "16.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF43CD3A-2C94-4663-B5D5-0327FD3E1F3D", "versionEndIncluding": "17.1.1", "versionStartIncluding": "17.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ipinfusion:zebos:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C3498D8-B387-4E26-AF1D-80D43DDC5E47", "versionEndIncluding": "7.10.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute."}, {"lang": "es", "value": "BGP daemon (bgpd) en IP Infusion ZebOS hasta 7.10.6 permite a atacantes remotos provocar una Denegaci\u00f3n de Servicio enviando mensajes de actualizaci\u00f3n de BGP manipulados que contienen un atributo con formato incorrecto."}], "id": "CVE-2023-45886", "lastModified": "2023-11-29T17:09:53.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-21T06:15:42.450", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://my.f5.com/manage/s/article/K000137315"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.ipinfusion.com/doc_prod_cat/zebos/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.kb.cert.org/vuls/id/347067"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}