Cisco Security Advisory
Cisco IOS XR Software Border Gateway Protocol Vulnerabilities
AV:N/AC:M/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C
-
Cisco IOS XR Software contains multiple vulnerabilities in the Border Gateway Protocol (BGP) feature. These vulnerabilities include:
-
Cisco IOS XR Software will reset a BGP peering session when receiving
a specific invalid BGP update.
The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute. On receipt of this prefix, the Cisco IOS XR device will restart the peering session by sending a notification. The peering session will flap until the sender stops sending the invalid/corrupt update. This vulnerability was disclosed in revision 1.0 of this advisory.
-
Cisco IOS XR BGP process will crash when sending a long length BGP
update message
When Cisco IOS XR sends a long length BGP update message, the BGP process may crash. The number of AS numbers required to exceed the total/maximum length of update message and cause the crash are well above normal limits seen within production environments.
-
Cisco IOS XR BGP process will crash when constructing a BGP update
with a large number of AS prepends
If the Cisco IOS XR BGP process is configured to prepend a very large number of Autonomous System (AS) Numbers to the AS path, the BGP process will crash. The number of AS numbers required to be prepended and cause the crash are well above normal limits seen within production environments.
All three vulnerabilities are different vulnerabilities from what was disclosed in the Cisco Security Advisory "Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities" on the 2009 July 29 1600 UTC at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090729-bgp.
Cisco has released a free software maintenance upgrade (SMU) that addresses these vulnerabilities.
Workarounds that mitigates these vulnerabilities are available.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090818-bgp
-
Cisco IOS XR Software will reset a BGP peering session when receiving
a specific invalid BGP update.
-
The "Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update" vulnerability affects all Cisco IOS XR Software devices after and including software release 3.4.0 configured with BGP routing.
The other two vulnerabilities affect all Cisco IOS XR Software devices configured with BGP routing.
Vulnerable Products
To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to "Cisco IOS XR Software". The software version is displayed after the text "Cisco IOS XR Software".
The following example identifies a Cisco CRS-1 that is running Cisco IOS XR Software Release 3.6.2:
RP/0/RP0/CPU0:CRS#show version Tue Aug 18 14:25:17.407 AEST Cisco IOS XR Software, Version 3.6.2[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON], CRS uptime is 4 weeks, 4 days, 1 minute System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm" cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 7457 processor at 1197Mhz, Revision 1.2 17 Packet over SONET/SDH network interface(s) 1 DWDM controller(s) 17 SONET/SDH Port controller(s) 8 TenGigabitEthernet/IEEE 802.3 interface(s) 2 Ethernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 38079M bytes of hard disk. 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes). Configuration register on node 0/0/CPU0 is 0x102 Boot device on node 0/0/CPU0 is mem: !--- output truncated
The following example identifies a Cisco 12404 router that is running Cisco IOS XR Software Release 3.7.1:
RP/0/0/CPU0:GSR#show version Cisco IOS XR Software, Version 3.7.1[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE Copyright (c) 1994-2005 by cisco Systems, Inc. GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm" cisco 12404/PRP (7457) processor with 2097152K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series - Multi-Service Blade Controller 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS) 1 Cisco 12000 Series SPA Interface Processor-601/501/401 3 Ethernet/IEEE 802.3 interface(s) 1 SONET/SDH Port controller(s) 1 Packet over SONET/SDH network interface(s) 4 PLIM QoS controller(s) 8 FastEthernet/IEEE 802.3 interface(s) 1016k bytes of non-volatile configuration memory. 1000496k bytes of disk0: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). Configuration register on node 0/0/CPU0 is 0x2102 Boot device on node 0/0/CPU0 is disk0: !--- output truncated
Additional information about Cisco IOS XR Software release naming conventions is available in the "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html#t6.
Additional information about Cisco IOS XR Software time-based release model is available in the "White Paper: Guidelines for Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html.
BGP is configured in Cisco IOS XR Software with the configuration command router bgp [AS Number] or router bgp [X.Y]. The device is vulnerable if it is running an affected Cisco IOS XR Software version and has BGP configured.
The following example shows a Cisco IOS XR Software device configured with BGP:
RP/0/0/CPU0:GSR#show running-config | begin router bgp Building configuration... router bgp 65535 bgp router-id 192.168.0.1 address-family ipv4 unicast network 192.168.1.1/32 ! address-family vpnv4 unicast ! neighbor 192.168.2.1 remote-as 65534 update-source Loopback0 address-family ipv4 unicast ! !--- output truncated
Products Confirmed Not Vulnerable
The following Cisco products are confirmed not vulnerable:
-
Cisco IOS Software
-
Cisco IOS XR Software not configured for BGP routing
No other Cisco products are currently known to be affected by these vulnerabilities.
-
Cisco IOS Software
-
These vulnerabilities affect Cisco IOS XR devices running affected software versions and configured with the BGP routing feature. Details per vulnerability are outlined below:
-
Cisco IOS XR Software will reset a BGP peering session when receiving
a specific invalid BGP update.
On August 17th, 2009, a widely-distributed Border Gateway Protocol (BGP) route update contained a BGP Update message with a specific invalid attribute. When the invalid BGP Update message was processed by Cisco IOS XR Software, it began resetting BGP peering sessions over which the update was received.
When a affected device receives the invalid/corrupt update, Cisco IOS XR Software will create a log message like the following example:
RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path
This vulnerability is documented in Cisco Bug ID CSCtb42995 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2055.
-
Cisco IOS XR BGP process will crash when sending a long length BGP
update message
The BGP process on an affected Cisco IOS XR device may reload when sending a long length BGP update. The number of AS numbers required to exceed the total/maximum length of update message and cause the crash are well above normal limits seen within production environments.
When an affected device BGP process crashes because of this long length BGP update message, Cisco IOS XR Software may create a log message like the following example:
bgp[122]: %ROUTING-BGP-3-INTERNAL_ERROR : [10] : Internal error (Write buffer too small to generate update)
This vulnerability is documented in Cisco Bug ID CSCtb05382 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-1154.
-
Cisco IOS XR BGP process will crash when constructing a BGP update
with a large number of AS prepends
If the Cisco IOS XR BGP process is configured to prepend a very large number of AS Numbers to the AS path, the BGP process will crash. The number of AS numbers required to be prepended to cause the crash are well above normal limits seen within production environments.
An example of AS path prepending in Cisco IOS XR Software is shown below:
route-policy prepend-example prepend as-path 65534 3 prepend as-path 65531 2 end-policy router bgp 65534 neighbor 192.168.0.1 remote-as 65531 address-family ipv4 unicast route-policy prepend-example out
This vulnerability is documented in Cisco Bug ID CSCtb12726 ( registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2056.
The above three vulnerabilities have been fixed in a single SMU and released under an umbrella Cisco Bug ID CSCtb18562 ( registered customers only)
-
Cisco IOS XR Software will reset a BGP peering session when receiving
a specific invalid BGP update.
-
Each individual vulnerability has a different workaround. Following are the mitigations and workarounds recommended for these vulnerabilities, prior to applying a SMU or software upgrade. The workarounds should be applied to both eBGP and iBGP peers.
-
Cisco IOS XR Software will reset a BGP peering session when receiving
a specific invalid BGP update.
There are no workarounds on the affected device itself. Co-ordination is required with the peering neighbor support staff to filter the invalid update on their outbound path. The following procedure explains how to help mitigate this vulnerability:
Using the peer IP address in the log message that was generated when the Cisco IOS XR Software device received the invalid update; capture the notification message hex dump from the CLI command show bgp neighbor and contact the Cisco TAC, who can assist with a decode. Details on how to contact Cisco TAC are contained within the "Obtaining Fixed Software" section of this advisory.
For illustrative purposes, the following example shows a log message generated by an affected device when it receives an invalid/corrupt update message:
RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path
RP/0/RP0/CPU0:CRS#show bgp neighbors 192.168.0.1
ATTRIBUTE NAME: AS_PATH AS_PATH: Type 2 is AS_SEQUENCE AS_PATH: Segment Length is 4 (0x04) segments long AS_PATH: 65533 65532 65531 65531
For further information on Cisco IOS XR RPL consult the document "Implementing Routing Policy on Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3rpl.html#wp1118699.
For further information on Cisco IOS route maps with BGP, consult the document "Cisco IOS BGP Configuration Guide, Release 12.4T" at the following link: http://www.cisco.com/en/US/docs/ios/12_2sr/12_2srb/feature/guide/tbgp_c.html.
-
Cisco IOS XR BGP process will crash when sending a long length BGP
update message
While the long length BGP update message can be caused by any number of attributes, then most common would be the AS Path. Limiting the number of AS numbers in the AS Path Attribute should mitigate this vulnerability. The following shows an example of filtering on AS paths within Cisco IOS XR Software:
route-policy maxas-limit # Check number of AS Numbers in AS Path attribute. # If greater than 100 drop the update. # If less than 100 pass the update. if as-path length ge 100 then drop else pass endif end-policy router bgp 65533 neighbor 192.168.0.1 remote-as 65534 address-family ipv4 unicast policy maxas-limit in policy maxas-limit out
-
Cisco IOS XR BGP process will crash when constructing a BGP update
with a large number of AS prepends
There is no workaround for this vulnerability, other than reducing the number of AS path prepends configured within Cisco IOS XR.
-
Cisco IOS XR Software will reset a BGP peering session when receiving
a specific invalid BGP update.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Note: Currently the SMUs are being posted to Cisco.com. This section will be updated accordingly once the SMUs are available for download.
Cisco IOS XR Version
SMU ID
SMU Name
3.2.X
Vulnerable to BGP process crash vulnerabilities; Migrate to 3.4.1 or later.
3.3.X
Vulnerable to BGP process crash vulnerabilities; Migrate to 3.4.1 or later.
3.4.0
Vulnerable; Migrate to 3.4.1 or later.
3.4.1
AA03400
AA03414
hfr-rout-3.4.1.CSCtb18562
c12k-rout-3.4.1.CSCtb18562
3.4.2
AA03399
AA03413
hfr-rout-3.4.2.CSCtb18562
c12k-rout-3.4.2.CSCtb18562
3.4.3
AA03398
AA03412
hfr-rout-3.4.3.CSCtb18562
c12k-rout-3.4.3.CSCtb18562
3.5.2
AA03397
AA03411
hfr-rout-3.5.2.CSCtb18562
c12k-rout-3.5.2.CSCtb18562
3.5.3
AA03410
AA03396
c12k-rout-3.5.3.CSCtb18562
hfr-rout-3.5.3.CSCtb18562
3.5.4
AA03409
AA03395
c12k-rout-3.5.4.CSCtb18562
hfr-rout-3.5.4.CSCtb18562
3.6.0
AA03394
AA03408
hfr-rout-3.6.0.CSCtb18562
c12k-rout-3.6.0.CSCtb18562
3.6.1
AA03407
AA03393
c12k-rout-3.6.1.CSCtb18562
hfr-rout-3.6.1.CSCtb18562
3.6.2
AA03406
AA03392
c12k-rout-3.6.2.CSCtb18562
hfr-rout-3.6.2.CSCtb18562
3.6.3
AA03405
AA03391
c12k-rout-3.6.3.CSCtb18562
hfr-rout-3.6.3.CSCtb18562
3.7.0
AA03390
AA03404
hfr-rout-3.7.0.CSCtb18562
c12k-rout-3.7.0.CSCtb18562
3.7.1
AA03389
AA03403
hfr-rout-3.7.1.CSCtb18562
c12k-rout-3.7.1.CSCtb18562
3.7.2
AA03386
asr9k-rout-3.7.2.CSCtb18562
3.7.3
AA03385
asr9k-rout-3.7.3.CSCtb18562
3.8.0
AA03388
AA03402
hfr-rout-3.8.0.CSCtb18562
c12k-rout-3.8.0.CSCtb18562
3.8.1
AA03401
AA03387
hfr-rout-3.8.1.CSCtb18562
c12k-rout-3.8.1.CSCtb18562
-
On August 17, 2009 around 16:30-17:00 UTC several ISP's began experiencing connectivity issues as BGP sessions were being repeatedly reset, which corresponds to the vulnerability "Cisco IOS XR will reset a BGP peering session when receiving a specific invalid BGP update" disclosed in this advisory. Cisco TAC was engaged with a number of customers all seeing similar issues. Stability came a few hours afterward as workarounds were applied. At this time, it is not believed that the connectivity issues were the result of malicious activity.
The other two BGP process crash vulnerabilities were discovered by Cisco during internal negative testing.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 2.6
2009-August-27
Minor revision to software table
Revision 2.5
2009-August-24
Added final SMUs to the Software Table.
Revision 2.4
2009-August-23
Added newly available SMUs to the Software Table.
Revision 2.3
2009-August-22
Added newly available SMUs to the Software Table.
Revision 2.2
2009-August-21
Added newly available SMUs to the Software Table.
Revision 2.1
2009-August-20
Added currently available SMUs to the Software Table and separated CVSS tables.
Revision 2.0
2009-August-20
Major update to include all bugs in Umbrella fix.
Revision 1.0
2009-August-18
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.