Cisco Nexus 3000 and 9000 Series Switches BGP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode. This vulnerability allows an unauthenticated, remote attacker to trigger BGP peer flaps, causing the device to drop and re-establish BGP sessions, which can disrupt network stability. The issue arises from incorrect parsing of a transitive BGP attribute, enabling exploitation by sending a crafted BGP update through an established BGP peer session.

Impact

Exploitation of this vulnerability leads to BGP peer flapping, causing the device to drop and re-establish BGP sessions with peers, which can disrupt network routing and stability.

Remediation

Cisco has released software updates to address this vulnerability. For devices that do not need to use the ATTR_SET attribute to carry customer edge attributes across the ISP network, RFC 6368 allows this optional attribute to be discarded. To disable the enforce-first-as global BGP feature on the provider edge that is receiving the ATTR_SET attribute, the no enforce-first-as command can be used. Customers should consult the Cisco Software Checker tool to determine the best release for their devices.