Cisco borked its own BGP code in IOS XE, has since patched
Wanna break the Internet? Start by not patching this problem
Cisco's pushed a fix for a border gateway protocol (BGP) denial-of-service bug in its IOS XE operating system.
Between a couple of releases of IOS, the company says it introduced a bug to its RFC 7432 implementation, which gives the system support for MPLS-based Ethernet VPNs.
As a result, as Cisco's advisory explains, a crafted BGP packet could crash the target system.
While Switchzilla only grades the vulnerability as medium-severity, it's worth noting that BGP is critical to the Internet's backbone, and Cisco's by far the dominant supplier of backbone routers.
An attack would be relatively easy to trace, since only “explicitly defined peers” can send BGP traffic between networks, but it would be hard to distinguish between an attack and an accident. From the advisory:
“When the BGP Inclusive Multicast Ethernet Tag Route or BGP EVPN MAC/IP Advertisement Route update packet is received, it could be possible that the IP address length field is miscalculated … An exploit could allow the attacker to cause the affected device to reload or corrupt the BGP routing table; either outcome would result in a DoS.”
The other possibility, if the attacker has knowledge about the target network, would be for the attacker to spoof the source address so that the TCP connection appears to come from a trusted BGP peer.
The bug exists in all Cisco IOS XE releases prior to version 16.3. ®