Cisco Patches DoS Flaw In BGP Over Ethernet VPN Implementation

Cisco has stated that changes to its implementation of the Border Gateway Protocol (BGP) in an Ethernet VPN have created a vulnerability in its IOE XE software.

The network giant has released software updates for IOS XE that solve the problem, which could be exploited remotely without authentication, and cause a blockage or corruption of the BGP routing table, which would lead to network instability.

The flaw, CVE-2017-12319, is related to a change in the implementation of RFC 7432, which is the MPLS Ethernet VPN BGP. The change in implementation, Cisco said, occurred between the IOS XE versions. IOS XE is a proprietary operating system from Cisco that automates network operations and manages wired and wireless networks. Cisco has stated that all versions of IOS XE prior to 16.3 that support Ethernet VPN configurations in BGP are vulnerable. All devices not configured for Ethernet VPN are not vulnerable, Cisco said.

"When the BGP Inclusive Multicast Ethernet Tag Route or BGP EVPN MAC / IP Advertisement package is received, it is possible that the length field of the IP address is not calculated correctly," Cisco said in a statement released on Friday. An attacker could exploit this vulnerability by sending a specially crafted BGP packet to an affected device after the BGP session has been established. An exploit could allow the attacker to cause the BGP routing table to be reloaded or corrupted by the affected device; one or the other would result in a DoS. "

Cisco stated that, since its BGP implementation only accepted packets of defined peers, attackers had to send malicious TCP packets and make them look like a trusted BGP pair. An attacker could also inject malicious messages into the victim's BGP network, Cisco said.

"This would require obtaining information about BGP peers in the trusted network of the affected system," Cisco said. "The vulnerability can be triggered when the router receives a BGP message from a peer in an existing BGP session, and at least one BGP Neighborhood session must be established for a router to be vulnerable."