Cisco Systems this week warned of several vulnerabilities in its IOS software that could be used by attackers to bring down routers in enterprise and service provider networks.
The three separate software flaws are related to Border Gateway Protocol (BGP), Multi Protocol Label Switching (MPLS) and IPv6. Two of the three bugs present the opportunity for an outside attacker to send a specially crafted packet, which would disrupt the router and cause it to reload. Attackers could use this technique repeatedly to mount a denial-of-service attack on the router.
Cisco has updated software available to fix the IOS problems. The company says it has no reports of any of the three bugs being used in an attack.
The MPLS-related flaw affects IOS software on access routers that can support MPLS but do not have the protocol turned on. The flaw could allow an attacker from outside the network to reset a router by sending a specially crafted MPLS packet to an interface on the router that is not enabled for MPLS. This attack could be repeated to take the router offline.
The affected IOS release trains are 12.1T, 12.2, 12.2T, 12.3 and 12.3T. These release trains must be installed on these products:
- 2600 and 2800 routers
- 3600, 3700 and 3800 routers
- 4500 and 4700 routers
- 5300, 5350 and 5400 series Access Servers
The second vulnerability affects routers configured to run IPv6. Cisco says a remote attacker could send modified IPv6 packets to an affected router to cause the device to reset. The vulnerability makes interfaces that support IPv6, as well as IPv6-to-IPv4 tunnel interfaces, open to an attack, the company says. The vulnerability only affects routers configured to support IPv6. All Cisco routers are capable of IPv6 support, but are not configured to support the protocol by default.
The BGP-related bug affects all IOS versions where BGP is supported (versions 9.x, 10.x, 11.x and 12.x). However, it is not possible for an outside attacker to exploit the flaw to attack a router. Cisco says only "malformed packets may not come from malicious sources," but only from other routers acting as trusted BGP routing peers on a network.
"The Cisco IOS implementation of BGP requires the explicit definition of a neighbor before a connection can be established," Cisco's advisory says. "These implementation details make it very difficult to maliciously send a BGP packet to a Cisco IOS device from an unauthorized source."
Router problems relating to the BGP flaw are more likely to come inadvertently from internal management traffic. Cisco says a BGP router with bad packets in its router queue could be reset if the device is sent either of two specific IOS commands: "show ip bgp neighbors" or "debug ip bgp <neighbor> updates." This would cause the router to reload and be offline for several minutes.
The BGP, IPv6 and MPLS vulnerabilities in IOS come a week after an IOS flaw was reported that affects Cisco access routers configured to support IP telephony and VoIP services.