Cisco Patches DoS Flaw in BGP over Ethernet VPN Implementation

Cisco has updated its IOS XE software to address a denial of service vulnerability in its implementation of BGP over an Ethernet VPN.

Cisco said that changes to its implementation of the Border Gateway Protocol (BGP) over an Ethernet VPN has created a vulnerability in its IOE XE software.

The networking giant has released software updates for IOS XE that patches the issue, which could be exploited remotely without authentication, and cause a crash or corrupt the BGP routing table, resulting in network instability.

The flaw, CVE-2017-12319, is traced to a change in the implementation of RFC 7432, which is the BGP MPLS-based Ethernet VPN. The implementation change, Cisco said, happened between IOS XE releases. IOS XE is Cisco’s proprietary operating systems that automates network operations and manage wired and wireless networks. Cisco said that all releases of IOS XE prior to 16.3 that support BGP over Ethernet VPN configurations are vulnerable. Any devices not configured for an Ethernet VPN are not vulnerable, Cisco said.

“When the BGP Inclusive Multicast Ethernet Tag Route or BGP EVPN MAC/IP Advertisement Route update packet is received, it could be possible that the IP address length field is miscalculated,” Cisco said in an advisory released Friday. “An attacker could exploit this vulnerability by sending a crafted BGP packet to an affected device after the BGP session was established. An exploit could allow the attacker to cause the affected device to reload or corrupt the BGP routing table; either outcome would result in a DoS.”

Cisco said that since its BGP implementation accepts packets only from defined peers, attackers must send malicious TCP packets and make them appear to originate from a trusted BGP peer. An attacker could also inject malicious messages into the victim’s BGP network, Cisco said.

“This would require obtaining information about the BGP peers in the affected system’s trusted network,” Cisco said. “The vulnerability may be triggered when the router receives a crafted BGP message from a peer on an existing BGP session. At least one BGP neighbor session must be established for a router to be vulnerable.”

Suggested articles