Cisco Nexus 3000 and 9000 Series Switches Border Gateway Protocol Denial of Service Vulnerability

A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition. This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgp-iefab-3hb2pwtx

There are two workarounds that address this vulnerability. If an affected device does not need to use the ATTR_SET attribute to carry customer edge (CE) attributes across the ISP network, RFC 6368 states that it is an optional attribute that can be discarded.

To discard the attribute and add or update the prefixes that are contained in the update to the routing table, add the path-attribute discard 128 in configuration command under the neighbor configuration that is sending it, as shown in the following example:

router bgp 64550
neighbor 10.0.0.2
path-attribute discard 128 in

Alternatively, to discard the attribute and remove the prefixes that are contained in the update from the routing table, add the path-attribute treat-as-withdraw 128 in configuration command under the neighbor configuration that is sending it, as shown in the following example:

router bgp 64550
neighbor 10.0.0.2
path-attribute treat-as-withdraw 128 in

There is also a mitigation. To disable the enforce-first-as global BGP feature on the provider edge (PE) that is receiving the ATTR_SET attribute, configure the no enforce-first-as command, as shown in the following example. This will disable first Autonomous System Number (ASN) checking.

router bgp 64550
no enforce-first-as

Note: Changing default BGP behavior on Cisco NX-OS Software by disabling this feature will prevent BGP from bringing down a peer adjacency if it receives an unexpected first Autonomous System (AS) in AS_PATH, weakening a security mechanism. To apply this policy change, BGP peers will need to be reset.

While these workarounds and this mitigation have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.