Cisco IOS XR Software Border Gateway Protocol Confederation Denial of Service Vulnerability
cisco-sa-iosxr-bgp-dos-O7stePhX · Medium · Published · Updated
A vulnerability in confederation implementation for the Border Gateway Protocol (BGP) in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to a memory corruption that occurs when a BGP update is created with an AS_CONFED_SEQUENCE attribute that has 255 autonomous system numbers (AS numbers). An attacker could exploit this vulnerability by sending a crafted BGP update message, or the network could be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. A successful exploit could allow the attacker to cause memory corruption, which may cause the BGP process to restart, resulting in a DoS condition. To exploit this vulnerability, an attacker must control a BGP confederation speaker within the same autonomous system as the victim, or the network must be designed in such a manner that the AS_CONFED_SEQUENCE attribute grows to 255 AS numbers or more. Cisco has released software updates that address this vulnerability. There is a workaround that addresses this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-bgp-dos-O7stePhX This advisory is part of the March 2025 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: March 2025 Semiannual Cisco IOS XR Software Security Advisory Bundled Publication.
There is a workaround that addresses this vulnerability. This vulnerability exists partly because the BGP AS_CONFED_SEQUENCE attribute is 255 AS numbers or greater. The workaround is to restrict this BGP attribute to 254 or fewer AS numbers. This can be accomplished by using a routing policy that drops BGP updates with long AS path lengths on the confederation peers:
route-policy max-asns
if as-path length ge 254 then
drop
else
pass
endif
end-policy
router bgp 64500
bgp confederation peers
64501
64502
!
bgp confederation identifier 64511 neighbor 192.168.0.1
remote-as 64501
address-family ipv4 unicast
policy max-asns in
policy max-asns out
While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.