pixel_dreams - Fotolia
How can a BGP vulnerability in Cisco products be fixed?
A BGP vulnerability in some Cisco products enabled denial-of-service attacks. Expert Judith Myerson explains the vulnerability and how Cisco fixed the problem.
A vulnerability in the Border Gateway Protocol over an Ethernet Virtual Private Network in Cisco IOS XE software enabled a denial-of-service attack. What is the BGP vulnerability and how did Cisco fix it?
Cisco has been proactive in addressing new vulnerabilities in its products. The latest is a denial-of-service vulnerability in its IOS XE software prior to release 16.3.
The vulnerability was caused by the changes in Cisco's implementation of the Border Gateway Protocol (BGP) over an Ethernet VPN (EVPN). Cisco blamed the vulnerability on a change in the implementation of the draft specification for BGP over Multiprotocol Label Switching-based EVPNs.
The vulnerable implementation of the protocol didn't properly accept incoming BGP traffic. The length of the inbound packet's IP address field was miscalculated, which could have enabled an attacker to send malicious packets over a TCP connection. When attacked, the device could be forced to reload the BGP routing table, or the table could be corrupted, causing the affected device to malfunction. This led the IOS XE software to stop working.
With the BGP vulnerability, the attacker could then create a malicious BGP message and inject it into the affected BGP network. A BGP session had to exist for the router to receive the message from a peer. The router also had to have at least one BGP neighbor session before the denial-of-service vulnerability could be triggered.
As a timesaver, Cisco IOS Software Checker should be used to check the update status of affected releases of IOS XE software. To obtain the release number, administrators should log in and use the show version command in the command-line interface.
There are no workarounds to fix the BGP vulnerability. The good news is that software updates are available for the affected releases at no charge. Releases 16.3 and later are free of the BGP vulnerability. New releases require more memory for the devices -- current and upgraded. Hardware and software configurations are detailed in Cisco's Carrier Ethernet Configuration Guide. Cisco IOS XR Software and Cisco NX-OS Software are not affected.
Customers are advised to regularly check Cisco Security Advisories and Alerts for new vulnerabilities.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)