CVE-2023-38802 PAN-OS: Denial-of-Service (DoS) Vulnerability in BGP Software
BGP software such as FRRouting FRR included as part of the PAN-OS virtual routing feature enable a remote attacker to incorrectly reset network sessions though an invalid BGP update. This issue is applicable only to firewalls configured with virtual routers that have BGP enabled.
This issue requires the remote attacker to control at least one established BGP session that is propagated to the PAN-OS virtual router to exploit it. The denial-of-service (DoS) impact on the network is dependent on the network's architecture and fault tolerant design.
Further details about this issue can be found at: https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.0 | < 11.0.3 | >= 11.0.3 (ETA: Week of 10/16) |
| PAN-OS 10.2 | < 10.2.6 | >= 10.2.6 (ETA: Week of 09/25) |
| PAN-OS 10.1 | < 10.1.11 | >= 10.1.11 (ETA: Week of 09/25) |
| PAN-OS 9.1 | <= 9.1.16 | >= 9.1.16-HF (ETA: Week of 10/02) |
| Prisma Access | None | All |
This issue is applicable only to firewalls that are configured with virtual routers that have BGP enabled. You can verify whether BGP is enabled for a virtual router by selecting it from 'Network > Virtual Routers’ in the web interface.
To exploit this issue, the remote attacker must control at least one established BGP session that is propagated to the PAN-OS virtual router.
CVSSv3.1 Base Score:7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Palo Alto Networks is not aware of any malicious exploitation of this issue targeting PAN-OS. However, knowledge of invalid BGP attributes that trigger this issue is publicly available.
CWE-754 Improper Check for Unusual or Exceptional Conditions
This issue will be fixed in a new PAN-OS 9.1.16 hotfix (ETA: Week of 10/02), PAN-OS 10.1.11 (ETA: Week of 09/25), PAN-OS 10.2.6 (ETA: Week of 09/25), PAN-OS 11.0.3 (ETA: Week of 10/16), and all later PAN-OS versions.
This advisory will be updated when these PAN-OS releases become available.
A fix for this issue is not planned for PAN-OS 8.1, PAN-OS 9.0, PAN-OS 10.0, and other end-of-life (EoL) PAN-OS versions.
You can prevent exploitation of this issue by inserting an unimpacted BGP router—configured to drop the invalid BGP update instead of propagating it—between the attacker-originated BGP update and the PAN-OS virtual router. This stops the invalid BGP update from reaching the PAN-OS virtual router.
Yes. As per the CVE assignment rules, each independent implementation codebase would be assigned a CVE if there is a problem in the implementation of a standard.
This issue has been assigned the following CVE IDs: CVE-2023-38802 for FRR, CVE-2023-38283 for OpenBGPd, CVE-2023-40457 for EXOS, and CVE-2023-4481 for JunOS.
Vulmon