A vulnerability in the Border Gateway Protocol over an Ethernet Virtual Private Network in Cisco IOS XE software...
enabled a denial-of-service attack. What is the BGP vulnerability and how did Cisco fix it?
Cisco has been proactive in addressing new vulnerabilities in its products. The latest is a denial-of-service vulnerability in its IOS XE software prior to release 16.3.
The vulnerability was caused by the changes in Cisco's implementation of the Border Gateway Protocol (BGP) over an Ethernet VPN (EVPN). Cisco blamed the vulnerability on a change in the implementation of the draft specification for BGP over Multiprotocol Label Switching-based EVPNs.
The vulnerable implementation of the protocol didn't properly accept incoming BGP traffic. The length of the inbound packet's IP address field was miscalculated, which could have enabled an attacker to send malicious packets over a TCP connection. When attacked, the device could be forced to reload the BGP routing table, or the table could be corrupted, causing the affected device to malfunction. This led the IOS XE software to stop working.
With the BGP vulnerability, the attacker could then create a malicious BGP message and inject it into the affected BGP network. A BGP session had to exist for the router to receive the message from a peer. The router also had to have at least one BGP neighbor session before the denial-of-service vulnerability could be triggered.
As a timesaver, Cisco IOS Software Checker should be used to check the update status of affected releases of IOS XE software. To obtain the release number, administrators should log in and use the show version command in the command-line interface.
There are no workarounds to fix the BGP vulnerability. The good news is that software updates are available for the affected releases at no charge. Releases 16.3 and later are free of the BGP vulnerability. New releases require more memory for the devices -- current and upgraded. Hardware and software configurations are detailed in Cisco's Carrier Ethernet Configuration Guide. Cisco IOS XR Software and Cisco NX-OS Software are not affected.
Customers are advised to regularly check Cisco Security Advisories and Alerts for new vulnerabilities.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on DDoS attack detection and prevention
Related Q&A from Judith Myerson
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.