[ITNOG] [Fwd: [c-nsp] Cisco Security Advisory: Cisco IOS XR Software Border Gateway Protocol Vulnerability]
Marco Marzetti
marco@lamehost.it
Mer 1 Set 2010 09:20:50 CEST
Ciao,
La giro nel caso fosse sfuggita a qualcuno...
Buona giornata =)
------- Messaggio inoltrato -------
> Da: Cisco Systems Product Security Incident Response Team
> <psirt@cisco.com>
> Reply-to: psirt@cisco.com
> A: cisco-nsp@puck.nether.net
> CC: psirt@cisco.com
> Oggetto: [c-nsp] Cisco Security Advisory: Cisco IOS XR Software Border
> Gateway Protocol Vulnerability
> Data: Fri, 27 Aug 2010 20:00:00 -0400
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cisco Security Advisory: Cisco IOS XR Software Border Gateway
> Protocol Vulnerability
>
> Advisory ID: cisco-sa-20100827-bgp
>
> Revision 1.0
>
> For Public Release 2010 August 27 2200 UTC (GMT)
>
> +---------------------------------------------------------------------
>
> Summary
> =======
>
> Cisco IOS XR Software contains a vulnerability in the Border Gateway
> Protocol (BGP) feature. The vulnerability manifests itself when a BGP
> peer announces a prefix with a specific, valid but unrecognized
> transitive attribute. On receipt of this prefix, the Cisco IOS XR
> device will corrupt the attribute before sending it to the
> neighboring devices. Neighboring devices that receive this corrupted
> update may reset the BGP peering session.
>
> Affected devices running Cisco IOS XR Software corrupt the
> unrecognized attribute before sending to neighboring devices, but
> neighboring devices may be running operating systems other than Cisco
> IOS XR Software and may still reset the BGP peering session after
> receiving the corrupted update. This is per standards defining the
> operation of BGP.
>
> Cisco developed a fix that addresses this vulnerability and will be
> releasing free software maintenance upgrades (SMU) progressively
> starting 28 August 2010. This advisory will be updated accordingly as
> fixes become available.
>
> This advisory is posted at:
>
> http://www.cisco.com/warp/public/707/cisco-sa-20100827-bgp.shtml
>
> Affected Products
> =================
>
> This vulnerability affects all Cisco IOS XR Software devices
> configured with BGP routing.
>
> Vulnerable Products
> +------------------
>
> To determine the Cisco IOS XR Software release that is running on a
> Cisco product, administrators can log in to the device and issue the
> "show version" command to display the system banner. The system banner
> confirms that the device is running Cisco IOS XR Software by
> displaying text similar to "Cisco IOS XR Software". The software
> version is displayed after the text "Cisco IOS XR Software".
>
> The following example identifies a Cisco CRS-1 that is running Cisco
> IOS XR Software Release 3.6.2:
>
> RP/0/RP0/CPU0:CRS#show version
> Tue Aug 18 14:25:17.407 AEST
>
> Cisco IOS XR Software, Version 3.6.2[00]
> Copyright (c) 2008 by Cisco Systems, Inc.
>
> ROM: System Bootstrap, Version 1.49(20080319:195807) [CRS-1 ROMMON],
>
> CRS uptime is 4 weeks, 4 days, 1 minute
> System image file is "disk0:hfr-os-mbi-3.6.2/mbihfr-rp.vm"
>
> cisco CRS-8/S (7457) processor with 4194304K bytes of memory.
> 7457 processor at 1197Mhz, Revision 1.2
>
> 17 Packet over SONET/SDH network interface(s)
> 1 DWDM controller(s)
> 17 SONET/SDH Port controller(s)
> 8 TenGigabitEthernet/IEEE 802.3 interface(s)
> 2 Ethernet/IEEE 802.3 interface(s)
> 1019k bytes of non-volatile configuration memory.
> 38079M bytes of hard disk.
> 981440k bytes of ATA PCMCIA card at disk 0 (Sector size 512 bytes).
>
> Configuration register on node 0/0/CPU0 is 0x102
> Boot device on node 0/0/CPU0 is mem:
>
>
> !--- output truncated
>
> The following example identifies a Cisco 12404 router that is running
> Cisco IOS XR Software Release 3.7.1:
>
> RP/0/0/CPU0:GSR#show version
>
> Cisco IOS XR Software, Version 3.7.1[00]
> Copyright (c) 2008 by Cisco Systems, Inc.
>
> ROM: System Bootstrap, Version 12.0(20051020:160303) SOFTWARE
> Copyright (c) 1994-2005 by cisco Systems, Inc.
>
> GSR uptime is 3 weeks, 6 days, 3 hours, 20 minutes
> System image file is "disk0:c12k-os-mbi-3.7.1/mbiprp-rp.vm"
>
> cisco 12404/PRP (7457) processor with 2097152K bytes of memory.
> 7457 processor at 1266Mhz, Revision 1.2
>
> 1 Cisco 12000 Series Performance Route Processor
> 1 Cisco 12000 Series - Multi-Service Blade Controller
> 1 1 Port ISE Packet Over SONET OC-48c/STM-16 Controller (1 POS)
> 1 Cisco 12000 Series SPA Interface Processor-601/501/401
> 3 Ethernet/IEEE 802.3 interface(s)
> 1 SONET/SDH Port controller(s)
> 1 Packet over SONET/SDH network interface(s)
> 4 PLIM QoS controller(s)
> 8 FastEthernet/IEEE 802.3 interface(s)
> 1016k bytes of non-volatile configuration memory.
> 1000496k bytes of disk0: (Sector size 512 bytes).
> 65536k bytes of Flash internal SIMM (Sector size 256k).
>
> Configuration register on node 0/0/CPU0 is 0x2102
> Boot device on node 0/0/CPU0 is disk0:
>
>
> !--- output truncated
>
> Additional information about Cisco IOS XR Software release naming
> conventions is available in the "White Paper: Cisco IOS Reference
> Guide" at the following link:
>
> http://www.cisco.com/web/about/security/intelligence/ios-ref.html#9
>
> Additional information about Cisco IOS XR Software time-based release
> model is available in the "White Paper: Guidelines for Cisco IOS XR
> Software" at the following link:
>
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8803/ps5845/product_bulletin_c25-478699.html
>
> BGP is configured in Cisco IOS XR Software with the configuration
> command "router bgp [AS Number]" or "router bgp [X.Y]". The device is
> vulnerable if it is running an affected Cisco IOS XR Software version
> and has BGP configured.
>
> The following example shows a Cisco IOS XR Software device configured
> with BGP:
>
> RP/0/0/CPU0:GSR#show running-config | begin router bgp
> Building configuration...
> router bgp 65535
> bgp router-id 192.168.0.1
> address-family ipv4 unicast
> network 192.168.1.1/32
> !
> address-family vpnv4 unicast
> !
> neighbor 192.168.2.1
> remote-as 65534
> update-source Loopback0
> address-family ipv4 unicast
> !
>
>
> !--- output truncated
>
> Products Confirmed Not Vulnerable
> +--------------------------------
>
> The following Cisco products are confirmed not vulnerable:
>
> * Cisco IOS Software
> * Cisco IOS XR Software not configured for BGP routing
>
> No other Cisco products are currently known to be affected by these
> vulnerabilities.
>
> Details
> =======
>
> This vulnerability affects Cisco IOS XR devices running affected
> software versions and configured with the BGP routing feature.
>
> The vulnerability manifests itself when a BGP peer announces a prefix
> with a specific, valid but unrecognized transitive attribute. On
> receipt of this prefix, the Cisco IOS XR device will corrupt the
> attribute before sending it to the neighboring devices. Neighboring
> devices that receive this corrupted update may reset the BGP peering
> session.
>
> Affected devices running Cisco IOS XR Software corrupt the
> unrecognized attribute before sending to neighboring devices, but
> neighboring devices may be running operating systems other than Cisco
> IOS XR Software and may still reset the BGP peering session after
> receiving the corrupted update. This is per RFC 4271 that defines the
> operation of BGP.
>
> After an affected device running Cisco IOS XR Software sends a
> corrupted update, it will receive a notification from the neighboring
> router and will create a log message like the following example:
>
> bgp[122]: %ROUTING-BGP-5-ADJCHANGE : neighbor 172.16.1.251 Down - BGP Notification received: update malformed
>
> This vulnerability is documented in Cisco Bug ID CSCti62211 and has
> been assigned Common Vulnerabilities and Exposures (CVE) ID
> CVE-2010-3035.
>
> Vulnerability Scoring Details
> =============================
>
> Cisco has provided scores for the vulnerabilities in this advisory
> based on the Common Vulnerability Scoring System (CVSS). The CVSS
> scoring in this Security Advisory is done in accordance with CVSS
> version 2.0.
>
> CVSS is a standards-based scoring method that conveys vulnerability
> severity and helps determine urgency and priority of response.
>
> Cisco has provided a base and temporal score. Customers can then
> compute environmental scores to assist in determining the impact of
> the vulnerability in individual networks.
>
> Cisco has provided an FAQ to answer additional questions regarding
> CVSS at:
>
> http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
>
> Cisco has also provided a CVSS calculator to help compute the
> environmental impact for individual networks at:
>
> http://intellishield.cisco.com/security/alertmanager/cvss
>
> CSCti62211 - BGP flaps due to unknown attribute
>
> CVSS Base Score - 5
>
> Access Vector - Network
> Access Complexity - Low
> Authentication - None
> Confidentiality Impact - None
> Integrity Impact - None
> Availability Impact - Partial
>
> CVSS Temporal Score - 4.8
>
> Exploitability - Functional
> Remediation Level - Unavailable
> Report Confidence - Confirmed
>
> Impact
> ======
>
> Successful exploitation of these vulnerabilities may result in the
> continuous resetting of BGP peering sessions. This may lead to
> routing inconsistencies and a denial of service for those affected
> networks.
>
> Software Versions and Fixes
> ===========================
>
> When considering software upgrades, also consult:
>
> http://www.cisco.com/go/psirt
>
> and any subsequent advisories to determine exposure and a complete
> upgrade solution.
>
> In all cases, customers should exercise caution to be certain the
> devices to be upgraded contain sufficient memory and that current
> hardware and software configurations will continue to be supported
> properly by the new release. If the information is not clear, contact
> the Cisco Technical Assistance Center (TAC) or your contracted
> maintenance provider for assistance.
>
> +-------------------------------------------------------------------+
> | Cisco IOS XR | SMU ID | SMU | Requires |
> | Version | | Name | Reload |
> |---------------+------------------------------+-------+------------|
> | 3.4.0 | Vulnerable; Migrate to 3.4.3 | | |
> | | and apply a SMU | | |
> |---------------+------------------------------+-------+------------|
> | 3.4.1 | SMU will be available on | | |
> | | 2010-Sep-9 | | |
> |---------------+------------------------------+-------+------------|
> | 3.4.2 | SMU will be available on | | |
> | | 2010-Sep-9 | | |
> |---------------+------------------------------+-------+------------|
> | 3.4.3 | SMU will be available on | | |
> | | 2010-Sep-5 | | |
> |---------------+------------------------------+-------+------------|
> | 3.5.2 | SMU will be available on | | |
> | | 2010-Sep-5 | | |
> |---------------+------------------------------+-------+------------|
> | 3.5.3 | SMU will be available on | | |
> | | 2010-Sep-9 | | |
> |---------------+------------------------------+-------+------------|
> | 3.5.4 | SMU will be available on | | |
> | | 2010-Sep-5 | | |
> |---------------+------------------------------+-------+------------|
> | 3.6.0 | SMU will be available on | | |
> | | 2010-Sep-9 | | |
> |---------------+------------------------------+-------+------------|
> | 3.6.1 | SMU will be available on | | |
> | | 2010-Sep-3 | | |
> |---------------+------------------------------+-------+------------|
> | 3.6.2 | SMU will be available on | | |
> | | 2010-Aug-30 | | |
> |---------------+------------------------------+-------+------------|
> | 3.6.3 | SMU will be available on | | |
> | | 2010-Sep-3 | | |
> |---------------+------------------------------+-------+------------|
> | 3.7.0 | SMU will be available on | | |
> | | 2010-Sep-9 | | |
> |---------------+------------------------------+-------+------------|
> | 3.7.1 | SMU will be available on | | |
> | | 2010-Sep-1 | | |
> |---------------+------------------------------+-------+------------|
> | 3.7.2 | SMU will be available on | | |
> | | 2010-Sep-3 | | |
> |---------------+------------------------------+-------+------------|
> | 3.7.3 | SMU will be available on | | |
> | | 2010-Sep-3 | | |
> |---------------+------------------------------+-------+------------|
> | 3.8.0 | SMU will be available on | | |
> | | 2010-Sep-3 | | |
> |---------------+------------------------------+-------+------------|
> | 3.8.1 | SMU will be available on | | |
> | | 2010-Sep-3 | | |
> |---------------+------------------------------+-------+------------|
> | 3.8.2 | SMU will be available on | | |
> | | 2010-Aug-30 | | |
> |---------------+------------------------------+-------+------------|
> | 3.8.3 | SMU will be available on | | |
> | | 2010-Sep-1 | | |
> |---------------+------------------------------+-------+------------|
> | 3.8.4 | SMU will be available on | | |
> | | 2010-Aug-28 | | |
> |---------------+------------------------------+-------+------------|
> | 3.9.0 | SMU will be available on | | |
> | | 2010-Sep-1 | | |
> |---------------+------------------------------+-------+------------|
> | 3.9.1 | SMU will be available on | | |
> | | 2010-Aug-28 | | |
> +-------------------------------------------------------------------+
>
> Workarounds
> ===========
>
> There are no workarounds to proactively mitigate this vulnerability.
> If a route flap is observed, the prefix with the unrecognized
> attribute can be filtered. For further information on filtering on
> Cisco IOS XR Software, please consult the document "Implementing
> Routing Policy on Cisco IOS XR Software" at the following link:
>
> http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.0/routing/configuration/guide/rc3rpl.html#wp1118699
>
> Obtaining Fixed Software
> ========================
>
> Cisco is releasing free software updates that address these
> vulnerabilities. Prior to deploying software, customers should
> consult their maintenance provider or check the software for feature
> set compatibility and known issues specific to their environment.
>
> Customers may only install and expect support for the feature sets
> they have purchased. By installing, downloading, accessing or
> otherwise using such software upgrades, customers agree to be bound
> by the terms of Cisco's software license terms found at:
>
> http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
>
> or as otherwise set forth at Cisco.com Downloads at:
>
> http://www.cisco.com/public/sw-center/sw-usingswc.shtml
>
> Do not contact psirt@cisco.com or security-alert@cisco.com for
> software upgrades.
>
> Customers with Service Contracts
> +-------------------------------
>
> Customers with contracts should obtain upgraded software through
> their regular update channels. For most customers, this means that
> upgrades should be obtained through the Software Center on Cisco's
> worldwide website at:
>
> http://www.cisco.com
>
> Customers using Third Party Support Organizations
> +------------------------------------------------
>
> Customers whose Cisco products are provided or maintained through
> prior or existing agreements with third-party support organizations,
> such as Cisco Partners, authorized resellers, or service providers
> should contact that support organization for guidance and assistance
> with the appropriate course of action in regards to this advisory.
>
> The effectiveness of any workaround or fix is dependent on specific
> customer situations, such as product mix, network topology, traffic
> behavior, and organizational mission. Due to the variety of affected
> products and releases, customers should consult with their service
> provider or support organization to ensure any applied workaround or
> fix is the most appropriate for use in the intended network before it
> is deployed.
>
> Customers without Service Contracts
> +----------------------------------
>
> Customers who purchase direct from Cisco but do not hold a Cisco
> service contract, and customers who purchase through third-party
> vendors but are unsuccessful in obtaining fixed software through
> their point of sale should acquire upgrades by contacting the Cisco
> Technical Assistance Center (TAC). TAC contacts are as follows.
>
> * +1 800 553 2447 (toll free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * e-mail: tac@cisco.com
>
> Customers should have their product serial number available and be
> prepared to give the URL of this notice as evidence of entitlement to
> a free upgrade. Free upgrades for non-contract customers must be
> requested through the TAC.
>
> Refer to:
>
> http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
>
> for additional TAC contact information, including localized telephone
> numbers, and instructions and e-mail addresses for use in various
> languages.
>
> Exploitation and Public Announcements
> =====================================
>
> An advertisement of an unrecognized but valid BGP attribute resulted
> in resetting of several BGP neighbors on 27 August 2010. This
> advertisement was not malicious but inadvertently triggered this
> vulnerability.
>
> The Cisco PSIRT is not aware of malicious use of the vulnerability
> described in this advisory.
>
> Status of this Notice: INTERIM
> ==============================
>
> THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
> KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
> MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
> INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
> AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
> DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW
> INFORMATION BECOMES AVAILABLE.
>
> A stand-alone copy or Paraphrase of the text of this document that
> omits the distribution URL in the following section is an
> uncontrolled copy, and may lack important information or contain
> factual errors.
>
> Distribution
> ============
>
> This advisory is posted on Cisco's worldwide website at:
>
> http://www.cisco.com/warp/public/707/cisco-sa-20100827-bgp.shtml
>
> In addition to worldwide web posting, a text version of this notice
> is clear-signed with the Cisco PSIRT PGP key and is posted to the
> following e-mail and Usenet news recipients.
>
> * cust-security-announce@cisco.com
> * first-bulletins@lists.first.org
> * bugtraq@securityfocus.com
> * vulnwatch@vulnwatch.org
> * cisco@spot.colorado.edu
> * cisco-nsp@puck.nether.net
> * full-disclosure@lists.grok.org.uk
> * comp.dcom.sys.cisco@newsgate.cisco.com
>
> Future updates of this advisory, if any, will be placed on Cisco's
> worldwide website, but may or may not be actively announced on
> mailing lists or newsgroups. Users concerned about this problem are
> encouraged to check the above URL for any updates.
>
> Revision History
> ================
>
> +---------------------------------------+
> | Revision | | Initial |
> | 1.0 | 2010-August-27 | public |
> | | | release |
> +---------------------------------------+
>
> Cisco Security Procedures
> =========================
>
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering to receive security information from Cisco, is available
> on Cisco's worldwide website at:
>
> http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
>
> This includes instructions for press inquiries regarding Cisco
> security notices. All Cisco security advisories are available at:
>
> http://www.cisco.com/go/psirt
> -----BEGIN PGP SIGNATURE-----
>
> iD8DBQFMeEy786n/Gc8U/uARAqyeAJ9HEbSnJ9yCTiKU6HxbWnuEL1wicQCfRKdZ
> kv4pt8GHYDABNcIjbvGHYso=
> =mbwY
> -----END PGP SIGNATURE-----
> _______________________________________________
> cisco-nsp mailing list cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
Maggiori informazioni sulla lista
itnog