Cisco patches a DoS vulnerability in IOE XE software that was introduced due to changes to its implementation of the Border Gateway Protocol (BGP) over an Ethernet VPN.
The Cisco IOS XE operating system automates network operations and manages wired and wireless networks.
The vulnerability in the IOS XE, tracked as CVE-2017-12319, could be exploited remotely by an unauthenticated attacker to cause a DoS condition by crashing or corrupting the BGP routing table.
The flaw is linked is to a change in the implementation of the BGP MPLS-based Ethernet VPN(RFC 7432).
“A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet Virtual Private Network (EVPN) for Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload, resulting in a denial of service (DoS) condition, or potentially corrupt the BGP routing table, which could result in network instability.” reads the Cisco security advisory.
The implementation change happened between IOS XE releases, releases prior to 16.3 that support BGP over Ethernet VPN configurations are vulnerable.
Cisco warned that only devices configured for an Ethernet VPN are vulnerable.
“When the BGP Inclusive Multicast Ethernet Tag Route or BGP EVPN MAC/IP Advertisement Route update packet is received, it could be possible that the IP address length field is miscalculated,” continues the Cisco advisory. “An attacker could exploit this vulnerability by sending a crafted BGP packet to an affected device after the BGP session was established. An exploit could allow the attacker to cause the affected device to reload or corrupt the BGP routing table; either outcome would result in a DoS.”
CISCO BGP implementation accepts packets only from defined peers, attackers must send malicious TCP packets spoofing the identity of a trusted BGP peer. An attacker could also inject malicious messages into the target BGP network.
“This would require obtaining information about the BGP peers in the affected system’s trusted network,” Cisco added. “The vulnerability may be triggered when the router receives a crafted BGP message from a peer on an existing BGP session. At least one BGP neighbor session must be established for a router to be vulnerable.”