Vulnslist

find the latest Cisco vulnerabilities

Cisco IOS XR Software for ASR 9000 Series Routers Bidirectional Forwarding Detection Denial of Service Vulnerability

cisco-sa-bfd-XmRescbT · High · Published · Updated

A vulnerability in the bidirectional forwarding detection (BFD) hardware offload feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers, ASR 9902 Compact High-Performance Routers, and ASR 9903 Compact High-Performance Routers could allow an unauthenticated, remote attacker to cause a line card to reset, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of malformed BFD packets that are received on line cards where the BFD hardware offload feature is enabled. An attacker could exploit this vulnerability by sending a crafted IPv4 BFD packet to an affected device. A successful exploit could allow the attacker to cause line card exceptions or a hard reset, resulting in loss of traffic over that line card while the line card reloads. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bfd-XmRescbT This advisory is part of the March 2023 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2023 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication.

Cisco advisory ·CSAF JSON

Workarounds

There is a workaround and a mitigation that address this vulnerability.

The only workaround that fully mitigates this vulnerability is disabling BFD hardware offload. Creating Infrastructure Access Control Lists (iACLs) is a mitigation that only limits the attack surface.

Disable BFD Hardware Offload

To disable BFD hardware offload, remove any of the hw-module bfw-hw-offload enable commands and reset the assigned line card, as shown in the following example:

RP/0/RSP0/CPU0:ASR9006#config terminal
Wed Mar 8 16:00:00.000 UTC
RP/0/RSP0/CPU0:ASR9006(config)#no hw-module bfd-hw-offload enable location 0/2/CPU0
RP/0/RSP0/CPU0:ASR9006(config)#commit
RP/0/RSP0/CPU0:ASR9006(config)#end
RP/0/RSP0/CPU0:ASR9006#hw-module subslot 0/2/CPU0 reload

Create Infrastructure Access Control Lists

While iACLs limit the attack surface, they do not prevent exploitation from allowed peers and are subject to spoofing.

The following example shows an iACL that allows only infrastructure BFD peers (where 192.0.2.x/24 is the infrastructure address space):

RP/0/RSP0/CPU0:ASR9006# show running-config ipv4 access-list
ipv4 access-list BFD_DROP
5 remark * Mark sure to Allow Legitimate BFD peers *
10 permit udp 192.0.2.0 0.0.0.255 192.0.2.0 0.0.0.255 eq bfd
11 remark * Depending on BFD deployment may need *
12 permit udp 192.0.2.0 0.0.0.255 192.0.2.0 0.0.0.255 eq 4784
13 permit udp 192.0.2.0 0.0.0.255 192.0.2.0 0.0.0.255 eq 6784
15 remark * Drop all other attempts to the infrastructure address space *
20 deny udp any 192.0.2.0 0.0.0.255 eq bfd
30 permit ipv4 any any
!
RP/0/RSP0/CPU0:ASR9006#

Apply this iACL to all exposed interfaces.

The following example shows an iACL that allows only BFD packets with a Time to Live (TTL) of 255 (expected for single hop sessions):

RP/0/RSP0/CPU0:ASR9006# show running-config ipv4 access-list
ipv4 access-list BFD_DROP_TTL
5 remark * Drop based purely on TTL. Allow our Single Hop BFD sessions *
10 permit udp any 192.0.2.0 0.0.0.255 eq bfd ttl eq 255
11 remark * Depending on BFD deployment may need *
12 permit udp any 192.0.2.0 0.0.0.255 eq 4784 ttl eq 255
13 permit udp any 192.0.2.0 0.0.0.255 eq 6784 ttl eq 255
14 remark * You would need to tune the above two lines for multi-hop sessions *
15 remark * Deny anything else for BFD *
20 deny udp any any eq bfd ttl lt 255
21 remark * You would need to tune the above line for multi-hop sessions *
30 permit ipv4 any any
!
RP/0/RSP0/CPU0:ASR9006#

Apply this iACL to all exposed interfaces.

While this workaround and mitigation have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2023-20049
Cisco Bug IDsCSCwc39336
CVSS ScoreBase 8.6
Base 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco IOS XR Software

CSAF Product Statuses

Product Status Source CVE Rows
Cisco IOS XR Software known_affected cisco_csaf CVE-2023-20049 1

Related Products

Product CVE Evidence
Cisco ASR 9000 Series Aggregation Services Routers CVE-2023-20049 Cisco OpenVuln · family-level
Cisco IOS XR Software CVE-2023-20049 Cisco OpenVuln
Cisco IOS CVE-2023-20049 Cisco OpenVuln
Cisco IOS Software CVE-2023-20049 Cisco OpenVuln