A vulnerability in the Border Gateway Protocol over an Ethernet Virtual Private Network in Cisco IOS XE software...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
enabled a denial-of-service attack. What is the BGP vulnerability and how did Cisco fix it?
Cisco has been proactive in addressing new vulnerabilities in its products. The latest is a denial-of-service vulnerability in its IOS XE software prior to release 16.3.
The vulnerability was caused by the changes in Cisco's implementation of the Border Gateway Protocol (BGP) over an Ethernet VPN (EVPN). Cisco blamed the vulnerability on a change in the implementation of the draft specification for BGP over Multiprotocol Label Switching-based EVPNs.
The vulnerable implementation of the protocol didn't properly accept incoming BGP traffic. The length of the inbound packet's IP address field was miscalculated, which could have enabled an attacker to send malicious packets over a TCP connection. When attacked, the device could be forced to reload the BGP routing table, or the table could be corrupted, causing the affected device to malfunction. This led the IOS XE software to stop working.
With the BGP vulnerability, the attacker could then create a malicious BGP message and inject it into the affected BGP network. A BGP session had to exist for the router to receive the message from a peer. The router also had to have at least one BGP neighbor session before the denial-of-service vulnerability could be triggered.
As a timesaver, Cisco IOS Software Checker should be used to check the update status of affected releases of IOS XE software. To obtain the release number, administrators should log in and use the show version command in the command-line interface.
There are no workarounds to fix the BGP vulnerability. The good news is that software updates are available for the affected releases at no charge. Releases 16.3 and later are free of the BGP vulnerability. New releases require more memory for the devices -- current and upgraded. Hardware and software configurations are detailed in Cisco's Carrier Ethernet Configuration Guide. Cisco IOS XR Software and Cisco NX-OS Software are not affected.
Customers are advised to regularly check Cisco Security Advisories and Alerts for new vulnerabilities.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on DDoS attack detection and prevention
Related Q&A from Judith Myerson
A patch was issued for the Dirty COW vulnerability, but researchers later discovered problems with the patch. Expert Judith Myerson explains what ...continue reading
Getting firewall settings right is one of the most basic ways to protect enterprise data from accidental exposures. Expert Judith Myerson discusses ...continue reading
Expert Judith Myerson explains how IP theft can happen despite the cryptographic protections in IEEE standard P1735, as well as what can be done to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.