Q
Problem solve Get help with specific problems with your technologies, process and projects.

How can a BGP vulnerability in Cisco products be fixed?

A BGP vulnerability in some Cisco products enabled denial-of-service attacks. Expert Judith Myerson explains the vulnerability and how Cisco fixed the problem.

A vulnerability in the Border Gateway Protocol over an Ethernet Virtual Private Network in Cisco IOS XE software...

enabled a denial-of-service attack. What is the BGP vulnerability and how did Cisco fix it?

Cisco has been proactive in addressing new vulnerabilities in its products. The latest is a denial-of-service vulnerability in its IOS XE software prior to release 16.3.

The vulnerability was caused by the changes in Cisco's implementation of the Border Gateway Protocol (BGP) over an Ethernet VPN (EVPN). Cisco blamed the vulnerability on a change in the implementation of the draft specification for BGP over Multiprotocol Label Switching-based EVPNs.

The vulnerable implementation of the protocol didn't properly accept incoming BGP traffic. The length of the inbound packet's IP address field was miscalculated, which could have enabled an attacker to send malicious packets over a TCP connection. When attacked, the device could be forced to reload the BGP routing table, or the table could be corrupted, causing the affected device to malfunction. This led the IOS XE software to stop working.

With the BGP vulnerability, the attacker could then create a malicious BGP message and inject it into the affected BGP network. A BGP session had to exist for the router to receive the message from a peer. The router also had to have at least one BGP neighbor session before the denial-of-service vulnerability could be triggered.

As a timesaver, Cisco IOS Software Checker should be used to check the update status of affected releases of IOS XE software. To obtain the release number, administrators should log in and use the show version command in the command-line interface.

There are no workarounds to fix the BGP vulnerability. The good news is that software updates are available for the affected releases at no charge. Releases 16.3 and later are free of the BGP vulnerability. New releases require more memory for the devices -- current and upgraded. Hardware and software configurations are detailed in Cisco's Carrier Ethernet Configuration Guide. Cisco IOS XR Software and Cisco NX-OS Software are not affected.

Customers are advised to regularly check Cisco Security Advisories and Alerts for new vulnerabilities.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in January 2018

Dig Deeper on DDoS attack detection and prevention

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Are you concerned about BGP vulnerabilities? Why or why not?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close