漏洞起因
设计错误
危险等级
中
影响系统
配置使用BGP路由的Cisco IOS XR软件设备
不受影响系统
Cisco IOS Software
没有配置BGP路由的Cisco IOS XR Software
危害
远程攻击者可以利用漏洞重置BGP对等会话,进行拒绝服务攻击。
攻击所需条件
攻击者必须访问运行了BGP的Cisco IOS XR。
漏洞信息
Cisco IOS是一款流行的Internet操作系统。
当一个BGP对等体宣布一个带有具体前缀,有效但无法识别的传递属性时设备存在安全漏洞。当接收到此前缀时,在发送此更新给相邻设备前Cisco IOS XR会破坏此属性。相邻设备接收到这个破坏的更新时会重置BGP对等会话。
运行受此漏洞影响Cisco IOS XR软件的设备在发送给相邻设备前会破坏不可识别的属性,但是没有运行Cisco IOS XR软件作为操作系统的相邻设备在接收到此更新后一样会重置BGP会话。
运行Cisco IOS XR软件受影响的设备发送破坏的更新之后,会从相邻路由器上接收到一条通知,并会创建类似如下的日志消息:
bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 172.16.1.251 Down – BGP Notification received: update malformed
要判断运行在Cisco产品上的Cisco IOS XR软件发布版本,管理员可以登录设备提交"show version"命令显示系统信息。如果显示类似"Cisco IOS XR Software"文本表示设备运行了Cisco IOS XR软件,软件版本显示在"Cisco IOS XR Software"之后。
如下的例子表明Cisco CRS-1运行了Cisco IOS XR Software Release 3.6.2:
RP/0/RP0/CPU0:CRS#show version
Tue Aug 18 14:25:17.407 AEST
Cisco IOS XR Software, Version 3.6.2[00]
Copyright (c) 2008 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON],
CRS uptime is 4 weeks, 4 days, 1 minute
System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm"
cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
7457 processor at 1197Mhz, Revision 1.2
17 Packet over SONET/SDH network interface(s)
1 DWDM controller(s)
17 SONET/SDH Port controller(s)
8 TenGigabitEthernet/IEEE 802.3 interface(s)
2 Ethernet/IEEE 802.3 interface(s)
1019k bytes of non-volatile configuration memory.
38079M bytes of hard disk.
981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes).
Configuration register on node 0/0/CPU0 is 0x102
Boot device on node 0/0/CPU0 is mem:
!— output truncated
如下的例子表明Cisco 12404路由器运行了Cisco IOS XR Software Release 3.7.1:
RP/0/0/CPU0:GSR#show version
Cisco IOS XR Software, Version 3.7.1[00]
Copyright (c) 2008 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE
Copyright (c) 1994-2005 by cisco Systems, Inc.
GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes
System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm"
cisco 12404/PRP (7457) processor with 2097152K bytes of memory.
7457 processor at 1266Mhz, Revision 1.2
1 Cisco 12000 Series Performance Route Processor
1 Cisco 12000 Series – Multi-Service Blade Controller
1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS)
1 Cisco 12000 Series SPA Interface Processor-601/501/401
3 Ethernet/IEEE 802.3 interface(s)
1 SONET/SDH Port controller(s)
1 Packet over SONET/SDH network interface(s)
4 PLIM QoS controller(s)
8 FastEthernet/IEEE 802.3 interface(s)
1016k bytes of non-volatile configuration memory.
1000496k bytes of disk0: (Sector size 512 bytes).
65536k bytes of Flash internal SIMM (Sector size 256k).
Configuration register on node 0/0/CPU0 is 0x2102
Boot device on node 0/0/CPU0 is disk0:
!— output truncated
可用"router bgp [AS Number]"或"router bgp [X.Y]" 配置命令可在Cisco IOS XR软件中配置BGP,如果运行了受影响的Cisco IOS XR软件版本并配置了BGP就受此漏洞影响。
如下例子显示了一个配置了BGP的Cisco IOS XR软件设备:
RP/0/0/CPU0:GSR#show running-config | begin router bgp
Building configuration…
router bgp 65535
bgp router-id 192.168.0.1
address-family ipv4 unicast
network 192.168.1.1/32
!
address-family vpnv4 unicast
!
neighbor 192.168.2.1
remote-as 65534
update-source Loopback0
address-family ipv4 unicast
!
!— output truncated
测试方法
厂商解决方案
用户可参考如下供应商提供的安全公告获得补丁信息:
http://www.cisco.com/warp/public/707/cisco-sa-20100827-bgp.shtml
漏洞提供者
IBM
0 条评论。