Preemptive Protection against Cisco IOS Malformed BGP Packet Denial of Service
| Attack ID: | CPAI-2005-08 |
 |
|
| Publish Date: | |
|
|
| Category: | Routing Protocols |
|
|
| Vulnerable Systems: | Any unfixed version of Cisco IOS including versions 9.x, 10.x, 11.x and 12.x. |
|
|
| Source: | Cisco Security Vulnerability Information |
|
|
| Description: | A denial of service vulnerability is present in any Cisco device running Cisco's Internetwork Operating System (IOS) and enabled for the Border Gateway Protocol (BGP). Only devices with the command bgp log-neighbor-changes configured are vulnerable. By sending a malformed BGP packet to an affected device, a remote attacker may cause the device to reload, resulting in a denial of service condition. The BGP protocol is not enabled by default. |
|
|
| Severity: | |
| Details: | The Border Gateway Protocol (BGP) is a routing protocol designed to manage IP routing in large networks. An affected Cisco device running a vulnerable version of Cisco IOS software with the BGP protocol enabled will reload if a malformed BGP packet is already queued on the interface when a BGP neighbor change is logged. Malformed packets may not necessarily come from malicious sources; a valid peering device such as another BGP router which produces the specific malformed packet in error may trigger this behavior. |
|
|
| Attack Detection: | Using SmartView Tracker, users of R55, R55W and InterSpect who have performed the solution outlined below, will identify attack attempts by the following logging information: Name: MD5 Authenticated BGP enforcement violation |
|
|
| Solution: | Check Point has provided a solution for this problem since July 2004. To prevent the spoofing or modification of a valid BGP message, BGP traffic is verified for message authentication (MD5). The protection applies to the routing protocols RIP and OSPF as well. |
|
|
| Industry Reference: | |
|
|
| Additional Information: | US-CERT Vu#689326 |