A vulnerability in Cisco's BGP protocol can trick a router into thinking it's flooded

Aug 22, 2009 08:09 GMT  ·  By

Cisco, the leader in networking tools around the globe, has recently released a patch for its routers and switches fixing a critical vulnerability in its IOS BGP protocol. This vulnerability allowed hackers to fool an equipment to think it was under attack and remotely shut it down.

BGP (Border Gateway Protocol) is a dynamic routing protocol that heavily relies on network updates to know the equipment’s position and status inside a network. The fixed vulnerability occurred when invalid BGP updates were received by Cisco IOS XR software. Supplying an invalid attribute in the prefix of a BGP update packet, Cisco routers would have stopped connections for that route until new clean updates were received. This would have enabled hackers to practically send bad updates over a series of routes and disable an entire network.

The IOS was also vulnerable when lengthy BGP updates had been received by Cisco software. In this kind of situations, routers would have crashed or reset. A third vulnerability inside the BGP protocol regarded BGP updates that contained a large number of AS prepends. This led to BGP service crashes.

All these vulnerabilities were fixed with the release of a recent patch that can be found here.

On the other hand, a completely different bug was reported regarding another Cisco product, this time inside its Firewall Service Module (FWSM). The vulnerability would have allowed attackers to send modified pings to disable a Cisco switch or router. The equipment, by processing these specially crafted ICMP packets, would have used all available computing threads and stopped relaying packets between its ports. This led to a complete network stoppage.

Catalyst 6500 series switches and Cisco 7600 series routers are vulnerable to this problem when having installed FWSM 2.X, 3.X and 4.X as a service. Security experts at Cisco did not report any case where this vulnerability was used in the wild, but after further tests, they noticed that some network data streams could unintentionally trigger the bug.

Updated and patched software for this vulnerability can be found here.