Summary
Affected Products
Details
Vulnerability Scoring Details
Impact
Software Versions and Fixes
Workarounds
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Distribution
Revision History
Cisco Security Procedures
Cisco IOS XR Software contains multiple vulnerabilities in the Border Gateway Protocol (BGP) feature. These vulnerabilities include:
All three vulnerabilities are different vulnerabilities from what was disclosed in the Cisco Security Advisory "Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities" on the 2009 July 29 1600 UTC at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090729-bgp.
Cisco has released a free software maintenance upgrade (SMU) that addresses these vulnerabilities.
Workarounds that mitigates these vulnerabilities are available.
This advisory is posted at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090818-bgp
The "Cisco IOS XR Software will reset a BGP peering session when receiving a specific invalid BGP update" vulnerability affects all Cisco IOS XR Software devices after and including software release 3.4.0 configured with BGP routing.
The other two vulnerabilities affect all Cisco IOS XR Software devices configured with BGP routing.
To determine the Cisco IOS XR Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS XR Software by displaying text similar to "Cisco IOS XR Software". The software version is displayed after the text "Cisco IOS XR Software".
The following example identifies a Cisco CRS-1 that is running Cisco IOS XR Software Release 3.6.2:
RP/0/RP0/CPU0:CRS#show version Tue Aug 18 14:25:17.407 AEST Cisco IOS XR Software, Version 3.6.2[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON], CRS uptime is 4 weeks, 4 days, 1 minute System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm" cisco CRS-8/S (7457) processor with 4194304K bytes of memory. 7457 processor at 1197Mhz, Revision 1.2 17 Packet over SONET/SDH network interface(s) 1 DWDM controller(s) 17 SONET/SDH Port controller(s) 8 TenGigabitEthernet/IEEE 802.3 interface(s) 2 Ethernet/IEEE 802.3 interface(s) 1019k bytes of non-volatile configuration memory. 38079M bytes of hard disk. 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes). Configuration register on node 0/0/CPU0 is 0x102 Boot device on node 0/0/CPU0 is mem: !--- output truncated
The following example identifies a Cisco 12404 router that is running Cisco IOS XR Software Release 3.7.1:
RP/0/0/CPU0:GSR#show version Cisco IOS XR Software, Version 3.7.1[00] Copyright (c) 2008 by Cisco Systems, Inc. ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE Copyright (c) 1994-2005 by cisco Systems, Inc. GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm" cisco 12404/PRP (7457) processor with 2097152K bytes of memory. 7457 processor at 1266Mhz, Revision 1.2 1 Cisco 12000 Series Performance Route Processor 1 Cisco 12000 Series - Multi-Service Blade Controller 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS) 1 Cisco 12000 Series SPA Interface Processor-601/501/401 3 Ethernet/IEEE 802.3 interface(s) 1 SONET/SDH Port controller(s) 1 Packet over SONET/SDH network interface(s) 4 PLIM QoS controller(s) 8 FastEthernet/IEEE 802.3 interface(s) 1016k bytes of non-volatile configuration memory. 1000496k bytes of disk0: (Sector size 512 bytes). 65536k bytes of Flash internal SIMM (Sector size 256k). Configuration register on node 0/0/CPU0 is 0x2102 Boot device on node 0/0/CPU0 is disk0: !--- output truncated
Additional information about Cisco IOS XR Software release naming conventions is available in the "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html#t6.
Additional information about Cisco IOS XR Software time-based release model is available in the "White Paper: Guidelines for Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html.
BGP is configured in Cisco IOS XR Software with the configuration command router bgp [AS Number] or router bgp [X.Y]. The device is vulnerable if it is running an affected Cisco IOS XR Software version and has BGP configured.
The following example shows a Cisco IOS XR Software device configured with BGP:
RP/0/0/CPU0:GSR#show running-config | begin router bgp Building configuration... router bgp 65535 bgp router-id 192.168.0.1 address-family ipv4 unicast network 192.168.1.1/32 ! address-family vpnv4 unicast ! neighbor 192.168.2.1 remote-as 65534 update-source Loopback0 address-family ipv4 unicast ! !--- output truncated
The following Cisco products are confirmed not vulnerable:
No other Cisco products are currently known to be affected by these vulnerabilities.
These vulnerabilities affect Cisco IOS XR devices running affected software versions and configured with the BGP routing feature. Details per vulnerability are outlined below:
The peering session will flap until the sender stops sending the invalid/corrupt BGP update message.RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path
The above error message is not always displayed and the BGP process may crash before IOS XR has the chance to generate the error message.bgp[122]: %ROUTING-BGP-3-INTERNAL_ERROR : [10] : Internal error (Write buffer too small to generate update)
When an affected device BGP process crashes because of this large AS path prepend, no log message will be generated, prior to the crash.route-policy prepend-example prepend as-path 65534 3 prepend as-path 65531 2 end-policy router bgp 65534 neighbor 192.168.0.1 remote-as 65531 address-family ipv4 unicast route-policy prepend-example out
The above three vulnerabilities have been fixed in a single SMU and released under an umbrella Cisco Bug ID CSCtb18562 ( registered customers only)
Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html .
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss .
CSCtb42995/CSCtb05382: Cisco IOS XR Software Border Gateway Protocol Vulnerabilities Calculate the environmental score of CSCtb42995/CSCtb05382 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 4.3 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Medium |
None |
None |
None |
Partial |
|
CVSS Temporal Score - 3.6 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
CSCtb12726:Cisco IOS XR BGP process will crash when constructing a BGP update with a large number of AS prepends Calculate the environmental score of CSCtb12726 |
||||||
---|---|---|---|---|---|---|
CVSS Base Score - 3.3 |
||||||
Access Vector |
Access Complexity |
Authentication |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
Network |
Low |
Multiple |
None |
None |
Partial |
|
CVSS Temporal Score - 2.7 |
||||||
Exploitability |
Remediation Level |
Report Confidence |
||||
Functional |
Official-Fix |
Confirmed |
Successful exploitation of these vulnerabilities may result in the continuous resetting of BGP peering sessions, or the continuous resetting of the BGP process itself. This may lead to routing inconsistencies and a denial of service for those affected networks.
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Note: Currently the SMUs are being posted to Cisco.com. This section will be updated accordingly once the SMUs are available for download.
Cisco IOS XR Version |
SMU ID |
SMU Name |
---|---|---|
3.2.X |
Vulnerable to BGP process crash vulnerabilities; Migrate to 3.4.1 or later. |
|
3.3.X |
Vulnerable to BGP process crash vulnerabilities; Migrate to 3.4.1 or later. |
|
3.4.0 |
Vulnerable; Migrate to 3.4.1 or later. |
|
3.4.1 |
AA03400 AA03414 |
hfr-rout-3.4.1.CSCtb18562 c12k-rout-3.4.1.CSCtb18562 |
3.4.2 |
AA03399 AA03413 |
hfr-rout-3.4.2.CSCtb18562 c12k-rout-3.4.2.CSCtb18562 |
3.4.3 |
AA03398 AA03412 |
hfr-rout-3.4.3.CSCtb18562 c12k-rout-3.4.3.CSCtb18562 |
3.5.2 |
AA03397 AA03411 |
hfr-rout-3.5.2.CSCtb18562 c12k-rout-3.5.2.CSCtb18562 |
3.5.3 |
AA03410 AA03396 |
c12k-rout-3.5.3.CSCtb18562 hfr-rout-3.5.3.CSCtb18562 |
3.5.4 |
AA03409 AA03395 |
c12k-rout-3.5.4.CSCtb18562 hfr-rout-3.5.4.CSCtb18562 |
3.6.0 |
AA03394 AA03408 |
hfr-rout-3.6.0.CSCtb18562 c12k-rout-3.6.0.CSCtb18562 |
3.6.1 |
AA03407 AA03393 |
c12k-rout-3.6.1.CSCtb18562 hfr-rout-3.6.1.CSCtb18562 |
3.6.2 |
AA03406 AA03392 |
c12k-rout-3.6.2.CSCtb18562 hfr-rout-3.6.2.CSCtb18562 |
3.6.3 |
AA03405 AA03391 |
c12k-rout-3.6.3.CSCtb18562 hfr-rout-3.6.3.CSCtb18562 |
3.7.0 |
AA03390 AA03404 |
hfr-rout-3.7.0.CSCtb18562 c12k-rout-3.7.0.CSCtb18562 |
3.7.1 |
AA03389 AA03403 |
hfr-rout-3.7.1.CSCtb18562 c12k-rout-3.7.1.CSCtb18562 |
3.7.2 |
AA03386 |
asr9k-rout-3.7.2.CSCtb18562 |
3.7.3 |
AA03385 |
asr9k-rout-3.7.3.CSCtb18562 |
3.8.0 |
AA03388 AA03402 |
hfr-rout-3.8.0.CSCtb18562 c12k-rout-3.8.0.CSCtb18562 |
3.8.1 |
AA03401 AA03387 |
hfr-rout-3.8.1.CSCtb18562 c12k-rout-3.8.1.CSCtb18562 |
Each individual vulnerability has a different workaround. Following are the mitigations and workarounds recommended for these vulnerabilities, prior to applying a SMU or software upgrade. The workarounds should be applied to both eBGP and iBGP peers.
These details can be captured and provided to Cisco TAC to decode the update message. show bgp neighbors [ip address of neighbor from above log message]:RP/0/RP0/CPU0:Aug 17 13:47:05.896 GMT: bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 192.168.0.1 Down - BGP Notification sent: invalid or corrupt AS path
Working with Cisco TAC, the decode of the above will display the AS path in a manner illustrated below.RP/0/RP0/CPU0:CRS#show bgp neighbors 192.168.0.1 <capture output and provide to Cisco TAC>
Working cooperatively with your peering partner, request that they filter outbound prefix advertisements from the identified source AS (in this example 65531) for your peering session. The filters configuration methods will vary depending on the routing device operating system used. For Cisco IOS XR Software the filters will be applied using Routing Policy Language (RPL) policies or with Cisco IOS Software via applying route-maps that deny advertisements matching that AS in their AS-PATH. Once these policies are applied, the peering session will be re-established.ATTRIBUTE NAME: AS_PATH AS_PATH: Type 2 is AS_SEQUENCE AS_PATH: Segment Length is 4 (0x04) segments long AS_PATH: 65533 65532 65531 65531
For further information on Cisco IOS XR RPL consult the document "Implementing Routing Policy on Cisco IOS XR Software" at the following link: http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3rpl.html#wp1118699.route-policy maxas-limit # Check number of AS Numbers in AS Path attribute. # If greater than 100 drop the update. # If less than 100 pass the update. if as-path length ge 100 then drop else pass endif end-policy router bgp 65533 neighbor 192.168.0.1 remote-as 65534 address-family ipv4 unicast policy maxas-limit in policy maxas-limit out
Cisco will be releasing free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml .
Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages.
On August 17, 2009 around 16:30-17:00 UTC several ISP's began experiencing connectivity issues as BGP sessions were being repeatedly reset, which corresponds to the vulnerability "Cisco IOS XR will reset a BGP peering session when receiving a specific invalid BGP update" disclosed in this advisory. Cisco TAC was engaged with a number of customers all seeing similar issues. Stability came a few hours afterward as workarounds were applied. At this time, it is not believed that the connectivity issues were the result of malicious activity.
The other two BGP process crash vulnerabilities were discovered by Cisco during internal negative testing.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This advisory is posted on Cisco's worldwide website at :
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20090818-bgp
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients.
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates.
Revision 2.6 |
2009-August-27 |
Minor revision to software table |
Revision 2.5 |
2009-August-24 |
Added final SMUs to the Software Table. |
Revision 2.4 |
2009-August-23 |
Added newly available SMUs to the Software Table. |
Revision 2.3 |
2009-August-22 |
Added newly available SMUs to the Software Table. |
Revision 2.2 |
2009-August-21 |
Added newly available SMUs to the Software Table. |
Revision 2.1 |
2009-August-20 |
Added currently available SMUs to the Software Table and separated CVSS tables. |
Revision 2.0 |
2009-August-20 |
Major update to include all bugs in Umbrella fix. |
Revision 1.0 |
2009-August-18 |
Initial public release. |
Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.