Date: 17 Jun 2004 20:30:09 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [NEWS] Cisco IOS Malformed BGP Packet Causes DoS
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Cisco IOS Malformed BGP Packet Causes DoS
------------------------------------------------------------------------
SUMMARY
A Cisco device running IOS and enabled for the Border Gateway Protocol
(BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed
BGP packet. The BGP protocol is not enabled by default, and must be
configured in order to accept traffic from an explicitly defined peer.
Unless the malicious traffic appears to be sourced from a configured,
trusted peer, it would be difficult to inject a malformed packet.
DETAILS
Vulnerable Systems:
* Any CISCO device running IOS and configured for BGP routing (versions
9.x, 10.x, 11.x and 12.x)
A router which is running the BGP process will have a line in the config
defining the AS number, which can be seen by issuing the command show
running-config:
router bgp <AS number>
The Border Gateway Protocol (BGP) is a routing protocol defined by RFC
1771, and designed to manage IP routing in large networks. An affected
Cisco device running a vulnerable version of Cisco IOS software and
enabling the BGP protocol will reload when a malformed BGP packet is
received. BGP runs over TCP, a reliable transport protocol that requires a
valid three-way handshake before any further messages will be accepted.
The Cisco IOS implementation of BGP requires the explicit definition of a
neighbor before a connection can be established, and traffic must appear
to come from that neighbor. These implementation details make it very
difficult to send a BGP packet to a Cisco IOS device from an unauthorized
source.
A Cisco device receiving an invalid BGP packet will reset and may take
several minutes to become fully functional. This vulnerability may be
exploited repeatedly resulting in an extended DoS attack.
For software versions and updates, consult the table at
<http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml>;
http://www.cisco.com/warp/public/707/cisco-sa-20040616-bgp.shtml which is
the original CISCO advisory.
Workarounds
Aside for updating the software revision, BGP MD5 authentication can be
enabled which would protect the vulnerable device. This can be configured
as shown in the following example:
router(config)# router bgp
router(config-router)# neighbor <IP_address> password
<enter_your_secret_here>
It is necessary to configure the same-shared MD5 secret on both peers and
at the same time. Failure to do so will break the existing BGP session and
the new session will not get established until the exact same secret is
configured on both devices. For a detailed discussion on how to configure
BGP, refer to the following document:
<http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca571.html>; http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca571.html
Once the secret is configured, it is prudent to change it periodically.
The exact period must fit within your company security policy but it
should not be longer than a few months. When changing the secret, again it
must be done at the same time on both devices. Failure to do so will break
your existing BGP session. The exception is if your Cisco IOS software
release contains the integrated CSCdx23494 fix on both sides of the
connection. With this fix, the BGP session will not be terminated when the
MD5 secret is changed only on one side. The BGP updates, however, will not
be processed until either the same secret is configured on both devices or
the secret is removed from both devices.
ADDITIONAL INFORMATION
The information has been provided by <mailto:psirt@cisco.com.> Cisco
Systems Product Security Incident Response Team.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
