navbar
Strip_FieldNotice

Cisco Security Advisory: Cisco IOS BGP Attribute Corruption Vulnerability

Revision 1.0

For Public Release 2001 May 10 08:00 AM US/Pacific (UTC -0700)

Summary

A Border Gateway Protocol (BGP) UPDATE contains Network Layer  Reachability  Information (NLRI) and attributes that describe the path to the destination. An unrecognized transitive attribute can cause failures in Cisco IOS routers, ranging from a crash upon receipt of the unrecognized transitive attribute, to a later failure upon attempt to clear the unrecognized transitive attribute. Specific but common configurations are affected, and described below.  The failure was discovered  because of a malfunction in the BGP implementation of another vendor. There is no workaround.  Affected customers are urged to upgrade to fixed code.

This vulnerability has been assigned Cisco bug ID CSCdt79947.

The complete text of this advisory will be located at http://www.cisco.com/warp/public/707/ios-bgp-attr-corruption-pub.shtml

Affected Products

Configurations including  BGP4 Prefix Filtering with Inbound Route Maps are vulnerable.  BGP with prefix or inbound routemap filtering was introduced in Cisco IOS® Software version 11.2  The following versions of Cisco IOS Software are affected and listed in the table below: 11.CC and its derivatives, 11.2 and its  derivaties, 11.3, 11.3T, 12.0, 12.0S and special branches taken out of 12.0 are all affected. The versions of Cisco IOS Software based on 12.1, 12.0(5)T, 12.2, 12.0ST, and 12.1(E) are not affected. The following products are affected if they run a Cisco IOS software release that has the defect. To determine if a Cisco product is running an affected IOS, log in to the device and issue the show version command. Cisco IOS software will identify itself as "Internetwork Operating System Software" or "IOS (tm)" software and will display a version number. Other Cisco devices either will not have the show version command, or will give different output. Compare the version number obtained from the router with the versions presented in the Software Versions and Fixes section below.

Cisco devices that may be running with affected Cisco IOS software releases include:

Cisco devices that may be running Cisco IOS Software, but do NOT support BGP and are therefore not vulnerable include: If you are not running Cisco IOS software, you are not affected by this vulnerability.  If you are not running BGP, you are not affected by this vulnerability.

Cisco products that do not run Cisco IOS software and are not affected by this defect include, but are not limited to:

Details

A Border Gateway Protocol (BGP) UPDATE contains Network Layer Reachability Information (NLRI) and attributes that describe the path to the destination. Each path attribute is a type, length, value (TLV) object. This failure occurs as a result of memory corruption and only in configurations using specific inbound route filtering. The failure was discovered because of a malfunction in the BGP implementation of another vendor. There is no workaround.

Impact

The vulnerability can be exercised repeatedly, affecting core routers, creating widespread network outages. This vulnerability can only be exercised in configurations that include both BGP and inbound route filtering on affected software.

Software Versions and Fixes

The following table summarizes the Cisco IOS software releases that are known to be affected, and the earliest estimated dates of availability for the recommended fixed versions. Dates are always tentative and subject to change.

Each row of the table describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix and the anticipated date of availability for each are listed in the "Rebuild", "Interim", and "Maintenance" columns. A device running any release in the given train that is earlier than the release in a specific column (less than the earliest fixed release) is known to be vulnerable, and it should be upgraded at least to the indicated release or a later version (greater than the earliest fixed release label).

When selecting a release, keep in mind the following definitions:

In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco TAC for assistance as shown later in this notice.

More information on Cisco IOS Software release names and abbreviations is available at http://www.cisco.com/warp/public/cc/pd/iosw/iore/prodlit/537_pp.htm.
 
 
Train Description of Image or Platform Availability of Fixed Releases*
11.0-based Releases Rebuild Interim Maintenance
11.0 Major GD release for all platforms  Not vulnerable
11.1-based Releases Rebuild Interim Maintenance
11.1 Major release for all platforms Not vulnerable
11.1AA ED release for access servers: 1600, 3200, and 5200 series. Not vulnerable
11.1CA Platform-specific support for 7500, 7200, 7000, and RSP End of Engineering
Not scheduled
11.1CC ISP train: added support for FIB, CEF, and NetFlow on 7500, 7200, 7000, and RSP 11.1(36)CC2
Not scheduled
11.1CT Added support for Tag Switching on 7500, 7200, 7000, and RSP End of Engineering
Upgrade recommended to 12.0(14)ST
11.1IA Distributed Director only Not Vulnerable
11.2-based Releases Rebuild Interim Maintenance
11.2 Major release, general deployment  End of Engineering
Not scheduled
11.2BC Platform-specific support for IBM networking, CIP, and TN3270 on 7500, 7000, and RSP End of Engineering
Upgrade recommended to 12.1(8)
11.2F Feature train for all platforms End of Engineering
Upgrade recommended
11.2GS Early deployment release to support 12000 GSR End of Engineering
Upgrade recommended to 12.0(17)S
11.2P New platform support End of Engineering
Upgrade recommended to 12.0(17)
11.2SA Catalyst 2900XL switch only Not vulnerable
11.2WA3 LightStream 1010 ATM switch Not vulnerable
11.2(4)XAf Initial release for the 1600 and 3600 End of Engineering
Upgrade recommended
11.2(9)XA Initial release for the 5300 and digital modem support for the 3600 End of Engineering
Upgrade recommended
11.3-based Releases Rebuild Interim Maintenance
11.3 Major release for all platforms End of Engineering
Upgrade recommended to 12.0(17)
11.3AA ED for dial platforms and access servers: 5800, 5200, 5300, 7200 End of Engineering
Upgrade recommended to 12.0(17)
11.3DA Early deployment train for ISP DSLAM 6200 platform End of Engineering
Upgrade recommended to 12.1(5)DA1
11.3DB Early deployment train for ISP/Telco/PTT xDSL broadband concentrator platform, (NRP) for 6400 End of Engineering
Upgrade recommended to 12.1(4)DB1
11.3HA Short-lived ED release for ISR 3300 (SONET/SDH router) End of Engineering
Upgrade recommended to 12.0 
11.3MA MC3810 functionality only Not available
Not scheduled
11.3NA Voice over IP, media convergence, various platforms End of Engineering
Upgrade recommended to 12.0(5)T
11.3T Early deployment major release, feature-rich for early adopters End of Engineering
Upgrade recommended to 12.0(17)
11.3WA4 Multilayer Switching and Multiprotocol over ATM functionality for Catalyst 5000 RSM, 4500, 4700, 7200, 7500, LightStream 1010 End of Engineering
Upgrade recommended
11.3(2)XA Introduction of ubr7246 and 2600 End of Engineering
Upgrade recommended
12.0-based Releases Rebuild Interim Maintenance
12.0 General deployment release for all platforms     12.0(17) 
2001-Apr-23
12.0DA xDSL support: 6100, 6200 Unavailable
Upgrade recommended to 12.1(5)DA1
12.0DB Early Deployment (ED) release, which delivers support for the Cisco 6400 Universal Access Concentrator (UAC) for Node Switch Processor (NSP) Unavailable
Upgrade recommended to 12.1(4)DB1
12.0DC Early Deployment (ED) release, which delivers support for the Cisco 6400 Universal Access Concentrator (UAC) for Node Route Processor (NRP) Unavailable
Upgrade recommended to 12.1(5)DC
12.0S Core/ISP support: GSR, RSP, c7200 12.0(15)S3, 12.0(16)S1 12.0(16.06)S 12.0(17)S 
2001-May-07
2001-April-23 
2001-April-30		    
12.0SC Cable/broadband ISP: ubr7200 Not vulnerable
12.0SL 10000 ESR: c10k Not vulnerable
12.0ST Cisco IOS software Release12.0ST is an early deployment (ED) release for the Cisco 7200, 7500/7000RSP and 12000 (GSR) series routers for Service Providers (ISPs). Not vulnerable
12.0T Early Deployment(ED): VPN, Distributed Director, various platforms     12.0(5)T
12.0W5 Catalyst switches: cat2948g-l3, cat4232  12.0(10)W5(18g)  2001-Apr-20    
cat8510c, cat8540c, c6msm, ls1010, cat8510m, cat8540m, c5atm      12.0(16)W5(21) 
2001-May-21
12.0WT Catalyst switches: cat4840g Not vulnerable
12.0XA Early Deployment (ED): limited platforms Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XB Short-lived early deployment release Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XC Early Deployment (ED): limited platforms Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XD Early Deployment (ED): limited platforms Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XE Early Deployment (ED): limited platforms Not Vulnerable
12.0XF Early Deployment (ED): limited platforms Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XG Early Deployment (ED): limited platforms Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XH Early Deployment (ED): limited platforms Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XI Early Deployment (ED): limited platforms Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XJ Early Deployment (ED): limited platforms Unavailable
Upgrade recommended to 12.1(8), available 2001-Apr-23
12.0XK Early Deployment (ED): limited platforms Not vulnerable
12.0XL Early Deployment (ED): limited platforms Not vulnerable
12.0XM Short-lived early deployment release Not vulnerable
12.0XN Early Deployment (ED): limited platforms  Not vulnerable
12.0XP Early Deployment (ED): limited platforms Not vulnerable
12.0XQ Short-lived early deployment release Not vulnerable
12.0XR Short-lived early deployment release Not vulnerable
12.0XS Short-lived early deployment release Not vulnerable
12.0XU Early Deployment (ED): limited platforms Not vulnerable
12.0XV Short-lived early deployment release Not vulnerable
12.1-based and Later Releases Rebuild Interim Maintenance
12.1 General deployment release for all platforms  Not vulnerable
Notes
* All dates are estimated and subject to change. 

** Interim releases are subjected to less rigorous testing than regular maintenance releases, and may have serious bugs. 
 

Getting Fixed Software

Cisco is offering free software upgrades to remedy this vulnerability for all affected customers.

Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained via the Software Center on Cisco's Worldwide Web site at http://www.cisco.com.

Customers without contracts should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows:

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including instructions and e-mail addresses for use in various languages.

Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades.

Workarounds

There are no known workarounds for this vulnerablity.  Please upgrade to fixed versions.

Exploitation and Public Announcements

Cisco has had no reports of malicious exploitation of this vulnerability.   The failure was discovered  because of a malfunction in the BGP implementation of another vendor, which caused a series of crashes that led to the identification of this issue.

Cisco knows of no public announcements of this vulnerability before the date of this notice.

Status of This Notice: FINAL

This is a FINAL notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability.   Cisco does not anticipate issuing updated versions of this notice unless there is some material change in the facts. Should there be a significant change in the facts, Cisco may update this notice.
 

Distribution

This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/ios-bgp-attr-corruption-pub.shtml. In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: Future updates of this notice, if any, will be placed on Cisco's Worldwide Web server, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates.

Revision History

 
Revision Number 1.0  Initial Public Release

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices.

This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, and include all date and version information.

Toolbar

All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights reserved. Important Notices and Privacy Statement.