09-13-2023 06:21 PM
Hi,
Regarding CVE-2023-38802, DDOS in BGP software, would this apply only to public ASNs/BGP sessions established on public internet? I have BGP configured on PAN firewalls but only running BGP over IPSec tunnels using private ASNs
I would think this vulnerability would not apply but didn't want to assume
09-13-2023 09:17 PM
Hello @securehops
this issue is triggered by sending crafted BGP update message. If you are running BGP internally within your network only and all your BGP devices are in your control, then I would say you are not affected (Unless somebody you are peering internally sends malicious BGP update).
This issue is not limited to Palo Alto only. End of last month similar issue was reported by Juniper CVE-2023-4481.
Kind Regards
Pavel
09-13-2023 09:17 PM
Hello @securehops
this issue is triggered by sending crafted BGP update message. If you are running BGP internally within your network only and all your BGP devices are in your control, then I would say you are not affected (Unless somebody you are peering internally sends malicious BGP update).
This issue is not limited to Palo Alto only. End of last month similar issue was reported by Juniper CVE-2023-4481.
Kind Regards
Pavel
11-13-2023 10:56 AM
Any reason it says it is fixed in 11.0.3 (https://security.paloaltonetworks.com/CVE-2023-38802), but the 11.0.3 known and addressed issues does not show it?
11-13-2023 01:59 PM - edited 11-13-2023 02:00 PM
11.0.3 is not impacted. The impacted versions are < 11.0.3
11-13-2023 02:05 PM
For any drive-by browsers, you can secure your BGP connections only to/from specific IP addresses with an allow security policy rule followed by a drop rule. Then your NGFW will only allow BGP packets from configured peers.
Thanks,
Tom
11-13-2023 02:06 PM
Thanks, yes the release notes "usually" state that the issue was addressed. In this case it does not. We are on 11.0.2, an affected ver and want to move to 11.0.3, the not impacted ver. But first want to confirm on the release notes that it was a fixed addressed issue.
11-13-2023 02:14 PM
true, good point. They had so many addressed issues in 11.0.3, they forgot that one 😂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
