Cisco IOS XR BGP Confederation Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Border Gateway Protocol (BGP) implementation of Cisco IOS XR Software. This issue arises from memory corruption when a BGP update includes an AS_CONFED_SEQUENCE attribute with 255 or more autonomous system numbers. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted BGP update or by manipulating the network to increase the AS_CONFED_SEQUENCE to 255 or more. Exploitation of this vulnerability could corrupt memory, causing the BGP process to crash and restart, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the BGP process to crash and restart, disrupting BGP routing and potentially causing routing loops.

Reproduction

The vulnerability can be reproduced by configuring BGP confederation on a Cisco IOS XR router and using the AS-override feature to create an AS path that exceeds 254 AS numbers. This can be done by establishing BGP sessions with routers that are part of the same confederation and using AS-override to replace AS numbers in the BGP updates, effectively crafting an AS path that loops back to the originating router, causing the AS path length to increase indefinitely.

Remediation

Cisco has released patches for this vulnerability in IOS XR versions 24.3.1 and 24.2.21. For routers running IOS XR 7.11 or 24.1, customers should upgrade to a fixed release. SMUs are also available for this vulnerability.