__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco IOS Misformed BGP Packet Causes Reload [Cisco Document ID: 63845] January 26, 2005 17:00 GMT Number P-109 [REVISED 31 Jan 2005] [REVISED 11 Feb 2005] [REVISED 23 Mar 2005] ______________________________________________________________________________ PROBLEM: A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with the command bgp log-neighbor-changes configured are vulnerable. PLATFORM: This vulnerablity is present in any unfixed version of Cisco IOS, from beginning of support for the BGP protocol, including versions 9.x, 10.x, 11.x, and 12.x. This issue affects all Cisco devices configured for BGP routing and running the bgp log-neighbor-changes command, which is on by default starting with releases 12.0(22)S, 12.0(11)ST, 12.1(10)E, 12.1(10) and later software. Cisco IOS XR is also affected. DAMAGE: Successful exploitation of this vulnerability results in a reload of the device. Repeated exploitation could result in a sustained DoS attack. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Malformed BGP packets may cause a system to ASSESSMENT: reload. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the malicious traffic appears to be sourced form a configured, trusted peer, it would be difficult to inject a malformed packet. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-109.shtml ORIGINAL BULLETIN: Cisco Document ID: 63845 http://www.cisco.com/en/US/products/products_security_ advisory09186a00803be7d9.shtml ______________________________________________________________________________ REVISION HISTORY: 01/31/2005 - updated Cisco Document ID 63845 to reflect changes that include the addition of Cisco IOS XR as an affected product and other minor changes. 02/11/2005 - revised to reflect Cisco's recent modifications and additions to the Details section of their bulletn. 03/23/2005 - revised to reflect Cisco's recent modifications and additions to the Software Versions and Fixes section of their bulletin. [***** Start Cisco Document ID: 63845 *****] Cisco IOS Misformed BGP Packet Causes Reload Document ID: 63845 Revision 1.5 Last Updated 2005 March 21 1730 UTC (GMT) For Public Release 2005 January 26 1600 UTC (GMT) -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures -------------------------------------------------------------------------------- Summary A Cisco device running IOS® and enabled for the Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS) attack from a malformed BGP packet. Only devices with either the command bgp log-neighbor-changes configured or the command snmp-server enable traps bgp are vulnerable. The BGP protocol is not enabled by default, and must be configured in order to accept traffic from an explicitly defined peer. The malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a malformed packet. Cisco has made free software available to address this problem. This issue is tracked by CERT/CC VU#689326. This advisory will be posted at http://www.cisco.com/warp/public/707/ cisco-sa- 20050126-bgp.shtml. Affected Products Vulnerable Products This vulnerability is present in any unfixed version of Cisco IOS, from the beginning of support for the BGP protocol, including versions 9.x, 10.x, 11.x and 12.x. This issue affects all Cisco devices configured for BGP routing and running the bgp log-neighbor-changes command, which is on by default starting with releases 12.0(22)S, 12.0(11)ST, 12.1(10)E, 12.1(10) and later software. Cisco IOS XR is also affected. A router which is running the BGP process will have both a line in the configuration defining the AS number and the command bgp log-neighbor-changes, which can be seen by issuing the command show running-config: router bgp bgp log-neighbor-changes To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS ®." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.0(3) with an installed image name of C2500-IS-L: Cisco Internetwork Operating System Software IOS (TM) 2500 Software (C2500-IS-L), Version 12.0(3), RELEASE SOFTWARE The release train label is "12.0." The next example shows a product running IOS release 12.0(2a)T1 with an image name of C2600-JS-MZ: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-JS-MZ), Version 12.0(2a)T1, RELEASE SOFTWARE (fc1) Additional information about Cisco IOS release naming can be found at: http:// www.cisco.com/warp/public/620/1.html. Products Confirmed Not Vulnerable Products confirmed not to be vulnerable include devices that do not run Cisco IOS, such as the Cisco Guard, products that cannot participate in BGP or products that cannot be configured for BGP. No other Cisco products are currently known to be affected by this vulnerability. Details The Border Gateway Protocol (BGP) is a routing protocol defined by RFC 1771, and designed to manage IP routing in large networks. A affected Cisco device running a vulnerable version of Cisco IOS software with the BGP protocol enabled will reload if a malformed BGP packet is already queued on the interface when a BGP neighbor change is logged. The device is not vulnerable unless either bgp log-neighbor- changes is configured or snmp-server traps enable bgp is configured. Malformed packets may not only come from malicious sources. A valid peering device such as another BGP speaking router that produces the specific malformed packet in error can trigger this behavior. In all cases, however, the packets must be sourced from an IP address that is explicitly configured. BGP runs over the Transport Control Protocol (TCP), a reliable transport protocol which requires a valid three way handshake before any further messages will be accepted. The Cisco IOS implementation of BGP requires the explicit definition of a neighbor before a connection can be established, and traffic must appear to come from that neighbor. These implementation details make it very difficult to maliciously send a BGP packet to a Cisco IOS device from an unauthorized source. This bug may also be triggered by other means which are not considered remotely exploitable. The use of the commands show ip bgp neighbors or debug ip bgp password It is necessary to configure the same shared MD5 secret on both peers and at the same time. Failure to do so will break the existing BGP session and the new session will not get established until the exact same secret is configured on both devices. For a detailed discussion on how to configure BGP, refer to the following document: http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_ chapter09186a00800ca571.html Once the secret is configured, it is prudent to change it periodically. The exact period must fit within your company security policy but it should not be longer than a few months. When changing the secret, again it must be done at the same time on both devices. Failure to do so will break your existing BGP session. The exception is if your Cisco IOS software release contains the integrated CSCdx23494 ( registered customers only) fix on both sides of the connection. With this fix, the BGP session will not be terminated when the MD5 secret is changed only on one side. The BGP updates, however, will not be processed until either the same secret is configured on both devices or the secret is removed from both devices. Infrastructure Access Control Lists (iACLs) Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as providing some added protection for this specific vulnerability. The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection ACLs: http://www.cisco.com/warp/public/707/iacl.html Exploitation and Public Announcements The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered by Cisco during internal testing. Status of This Notice: FINAL THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution This advisory will be posted on Cisco's worldwide website at http:// www.cisco.com/warp/public/707/cisco-sa-20050126-bgp.shtml . In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. cust-security-announce@cisco.com first-teams@first.org (includes CERT/CC) bugtraq@securityfocus.com vulnwatch@vulnwatch.org cisco@spot.colorado.edu cisco-nsp@puck.nether.net full-disclosure@lists.netsys.com comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History Revision 1.5 2005-March-21 Updated the IOS Software 12.2T available repaired release information in the IOS release table in the Software Versions and Fixes section. Revision 1.4 2005-February-09 Modifications and additions to the Details section. Revision 1.3 2005-February-04 Modifications to Software Versions and Fixes Table, Summary, Affected Products, and Details sections. Revision 1.2 2005-February-01 Additional rebuilds added to 12.2S Revision 1.1 2005-January-29 Added IOS XR as affected. Minor syntax changes. Modified 12.2ZA migration path. Revision 1.0 2005-January-26 Initial public release. Cisco Security Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Updated: Jan 29, 2005 Document ID: 63845 -------------------------------------------------------------------------------- [***** End Cisco Document ID: 63845 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco Systems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-099: Apple iTunes Buffer Overflow P-100: Oracle Critical Patch Update P-101: Updated Linux Kernel Packages P-102: Veritas NetBackup Administrative Java GUI (bpjava-susvc) Vulnerability P-103: Buffer Overflow in cupsys P-104: Buffer Overflow in xpdf P-105: Sun Java Plug-In Vulnerability P-106: Ethereal 0.10.9 Released P-107: Security Vulnerability in Solaris 8 DHCP Administration Utilities P-108: libdbi-perl