Cisco IOS XR Software contains multiple vulnerabilities in the Border Gateway Protocol (BGP) feature. These vulnerabilities include: Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update. The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute. On receipt of this prefix, the Cisco IOS XR device will restart the peering session by sending a notification. The peering session will flap until the sender stops sending the invalid/corrupt update. This vulnerability was disclosed in revision 1.0 of this advisory. Cisco IOS XR BGP process will crash when sending a long length BGP update message When Cisco IOS XR sends a long length BGP update message, the BGP process may crash. The number of AS numbers required to exceed the total/maximum length of update message and cause the crash are well above normal limits seen within production environments. Cisco IOS XR BGP process will crash when constructing a BGP update with a large number of AS prepends If the Cisco IOS XR BGP process is configured to prepend a very large number of Autonomous System (AS) Numbers to the AS path, the BGP process will crash. The number of AS numbers required to be prepended and cause the crash are well above normal limits seen within production environments. All three vulnerabilities are different vulnerabilities from what was disclosed in the Cisco Security Advisory "Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities" on the 2009 July 29 1600 UTC at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090729-bgp. Cisco has released a free software maintenance upgrade (SMU) that addresses these vulnerabilities. Workarounds that mitigates these vulnerabilities are available. This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090818-bgp
Cisco IOS XR Software contains multiple vulnerabilities in the Border Gateway Protocol (BGP) feature. These vulnerabilities include:
All three vulnerabilities are different vulnerabilities from what was disclosed in the Cisco Security Advisory "Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities" on the 2009 July 29 1600 UTC at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090729-bgp.
Cisco has released a free software maintenance upgrade (SMU) that addresses these vulnerabilities.
Workarounds that mitigates these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090818-bgp
The "Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update" vulnerability affects all Cisco IOS XR Software devices after and including software release 3.4.0 configured with BGP routing.
The other two vulnerabilities affect all Cisco IOS XR Software devices configured with BGP routing.
To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to "Cisco IOS XR Software". The software version is displayed after the text "Cisco IOS XR Software".
The following example identifies a Cisco CRS-1 that is running Cisco IOS XR Software Release 3.6.2:
RP/0/RP0/CPU0:CRS#show version Tue Aug 18 14:25:17.407 AEST Cisco IOS XR Software, Version 3.6.2[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON], CRS uptime is 4 weeks, 4 days, 1 minute System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm" cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 7457 processor at 1197Mhz, Revision 1.2 17 Packet over SONET/SDH network interface(s) 1 DWDM controller(s) 17 SONET/SDH Port controller(s) 8 TenGigabitEthernet/IEEE 802.3 interface(s) 2 Ethernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 38079M bytes of hard disk. 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes). Configuration register on node 0/0/CPU0 is 0x102 Boot device on node 0/0/CPU0 is mem: !--- output truncated
The following example identifies a Cisco 12404 router that is running Cisco IOS XR Software Release 3.7.1:
RP/0/0/CPU0:GSR#show version Cisco IOS XR Software, Version 3.7.1[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE Copyright (c) 1994-2005 by cisco Systems, Inc. GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm" cisco 12404/PRP (7457) processor with 2097152K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series - Multi-Service Blade Controller 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS) 1 Cisco 12000 Series SPA Interface Processor-601/501/401 3 Ethernet/IEEE 802.3 interface(s) 1 SONET/SDH Port controller(s) 1 Packet over SONET/SDH network interface(s) 4 PLIM QoS controller(s) 8 FastEthernet/IEEE 802.3 interface(s) 1016k bytes of non-volatile configuration memory. 1000496k bytes of disk0: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). Configuration register on node 0/0/CPU0 is 0x2102 Boot device on node 0/0/CPU0 is disk0: !--- output truncated
Additional information about Cisco IOS XR Software release naming conventions is available in the "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html#t6.
Additional information about Cisco IOS XR Software time-based release model is available in the "White Paper: Guidelines for Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html.
BGP is configured in Cisco IOS XR Software with the configuration command router bgp [AS Number] or router bgp [X.Y]. The device is vulnerable if it is running an affected Cisco IOS XR Software version and has BGP configured.
The following example shows a Cisco IOS XR Software device configured with BGP:
RP/0/0/CPU0:GSR#show running-config | begin router bgp Building configuration... router bgp 65535 bgp router-id 192.168.0.1 address-family ipv4 unicast network 192.168.1.1/32 ! address-family vpnv4 unicast ! neighbor 192.168.2.1 remote-as 65534 update-source Loopback0 address-family ipv4 unicast ! !--- output truncated
The following Cisco products are confirmed not vulnerable:
No other Cisco products are currently known to be affected by these vulnerabilities.
These vulnerabilities affect Cisco IOS XR devices running affected software versions and configured with the BGP routing feature. Details per vulnerability are outlined below:
The peering session will flap until the sender stops sending the invalid/corrupt BGP update message.RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path
The above error message is not always displayed and the BGP process may crash before IOS XR has the chance to generate the error message.bgp[122]: %ROUTING-BGP-3-INTERNAL_ERROR : [10] : Internal error (Write buffer too small to generate update)
Vulmon
route-policy prepend-example
prepend as-path 65534 3
prepend as-path 65531 2
end-policy
router bgp 65534
neighbor 192.168.0.1
remote-as 65531
address-family ipv4 unicast
route-policy prepend-example out
When an affected device BGP process crashes because of this large AS
path prepend, no log message will be generated, prior to the crash.The above three vulnerabilities have been fixed in a single SMU and released under an umbrella Cisco Bug ID CSCtb18562 ( registered customers only)
Each individual vulnerability has a different workaround. Following are the mitigations and workarounds recommended for these vulnerabilities, prior to applying a SMU or software upgrade. The workarounds should be applied to both eBGP and iBGP peers.
These details can be captured and provided to Cisco TAC to decode the update message. show bgp neighbors [ip address of neighbor from above log message]:RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path
Working with Cisco TAC, the decode of the above will display the AS path in a manner illustrated below.RP/0/RP0/CPU0:CRS#show bgp neighbors 192.168.0.1
Working cooperatively with your peering partner, request that they filter outbound prefix advertisements from the identified source AS (in this example 65531) for your peering session. The filters configuration methods will vary depending on the routing device operating system used. For Cisco IOS XR Software the filters will be applied using Routing Policy Language (RPL) policies or with Cisco IOS Software via applying route-maps that deny advertisements matching that AS in their AS-PATH. Once these policies are applied, the peering session will be re-established.ATTRIBUTE NAME: AS_PATH AS_PATH: Type 2 is AS_SEQUENCE AS_PATH: Segment Length is 4 (0x04) segments long AS_PATH: 65533 65532 65531 65531
route-policy maxas-limit
# Check number of AS Numbers in AS Path attribute.
# If greater than 100 drop the update.
# If less than 100 pass the update.
if as-path length ge 100 then
drop
else
pass
endif
end-policy
router bgp 65533
neighbor 192.168.0.1
remote-as 65534
address-family ipv4 unicast
policy maxas-limit in
policy maxas-limit out
For further information on Cisco IOS XR RPL consult the document
"Implementing Routing Policy on Cisco IOS XR Software" at the following link:
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3rpl.html#wp1118699.When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Note: Currently the SMUs are being posted to Cisco.com. This section will be updated accordingly once the SMUs are available for download.
|
Cisco IOS XR Version |
SMU ID |
SMU Name |
|---|---|---|
|
3.2.X |
Vulnerable to BGP process crash vulnerabilities; Migrate to 3.4.1 or later. |
|
|
3.3.X |
Vulnerable to BGP process crash vulnerabilities; Migrate to 3.4.1 or later. |
|
|
3.4.0 |
Vulnerable; Migrate to 3.4.1 or later. |
|
|
3.4.1 |
AA03400 AA03414 |
hfr-rout-3.4.1.CSCtb18562 c12k-rout-3.4.1.CSCtb18562 |
|
3.4.2 |
AA03399 AA03413 |
hfr-rout-3.4.2.CSCtb18562 c12k-rout-3.4.2.CSCtb18562 |
|
3.4.3 |
AA03398 AA03412 |
hfr-rout-3.4.3.CSCtb18562 c12k-rout-3.4.3.CSCtb18562 |
|
3.5.2 |
AA03397 AA03411 |
hfr-rout-3.5.2.CSCtb18562 c12k-rout-3.5.2.CSCtb18562 |
|
3.5.3 |
AA03410 AA03396 |
c12k-rout-3.5.3.CSCtb18562 hfr-rout-3.5.3.CSCtb18562 |
|
3.5.4 |
AA03409 AA03395 |
c12k-rout-3.5.4.CSCtb18562 hfr-rout-3.5.4.CSCtb18562 |
|
3.6.0 |
AA03394 AA03408 |
hfr-rout-3.6.0.CSCtb18562 c12k-rout-3.6.0.CSCtb18562 |
|
3.6.1 |
AA03407 AA03393 |
c12k-rout-3.6.1.CSCtb18562 hfr-rout-3.6.1.CSCtb18562 |
|
3.6.2 |
AA03406 AA03392 |
c12k-rout-3.6.2.CSCtb18562 hfr-rout-3.6.2.CSCtb18562 |
|
3.6.3 |
AA03405 AA03391 |
c12k-rout-3.6.3.CSCtb18562 hfr-rout-3.6.3.CSCtb18562 |
|
3.7.0 |
AA03390 AA03404 |
hfr-rout-3.7.0.CSCtb18562 c12k-rout-3.7.0.CSCtb18562 |
|
3.7.1 |
AA03389 AA03403 |
hfr-rout-3.7.1.CSCtb18562 c12k-rout-3.7.1.CSCtb18562 |
|
3.7.2 |
AA03386 |
asr9k-rout-3.7.2.CSCtb18562 |
|
3.7.3 |
AA03385 |
asr9k-rout-3.7.3.CSCtb18562 |
|
3.8.0 |
AA03388 AA03402 |
hfr-rout-3.8.0.CSCtb18562 c12k-rout-3.8.0.CSCtb18562 |
|
3.8.1 |
AA03401 AA03387 |
hfr-rout-3.8.1.CSCtb18562 c12k-rout-3.8.1.CSCtb18562 |
On August 17, 2009 around 16:30-17:00 UTC several ISP's began experiencing connectivity issues as BGP sessions were being repeatedly reset, which corresponds to the vulnerability "Cisco IOS XR will reset a BGP peering session when receiving a specific invalid BGP update" disclosed in this advisory. Cisco TAC was engaged with a number of customers all seeing similar issues. Stability came a few hours afterward as workarounds were applied. At this time, it is not believed that the connectivity issues were the result of malicious activity.
The other two BGP process crash vulnerabilities were discovered by Cisco during internal negative testing.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
|
Revision 2.6 |
2009-August-27 |
Minor revision to software table |
|
Revision 2.5 |
2009-August-24 |
Added final SMUs to the Software Table. |
|
Revision 2.4 |
2009-August-23 |
Added newly available SMUs to the Software Table. |
|
Revision 2.3 |
2009-August-22 |
Added newly available SMUs to the Software Table. |
|
Revision 2.2 |
2009-August-21 |
Added newly available SMUs to the Software Table. |
|
Revision 2.1 |
2009-August-20 |
Added currently available SMUs to the Software Table and separated CVSS tables. |
|
Revision 2.0 |
2009-August-20 |
Major update to include all bugs in Umbrella fix. |
|
Revision 1.0 |
2009-August-18 |
Initial public release. |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.