BugZero | Cisco BugID CSCuo91149 - MPLS packet via BVI interface may cause NP reset o...

Cisco - Defect ID: CSCuo91149

MPLS packet via BVI interface may cause NP reset on Enhanced Ethernet LC

Cisco - Defect ID: CSCuo91149

MPLS packet via BVI interface may cause NP reset on Enhanced Ethernet LC

Last updated on 4/22/2022

Overall: 9.59.5

Severity: 1010.0

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 9.59.5

Severity: 1010.0

Lifecycle: 9.19.1

Popularity: 5.15.1

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

A vulnerability in the parsing of crafted MPLS packets in Cisco IOS XR Software for ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to cause a lockup and eventual reload of a Network Processor (NP) chip and a line card processing traffic. The vulnerability is due to insufficient logic in parsing MPLS packets. An attacker could exploit this vulnerability by sending a stream of crafted MPLS packets to be routed by a BVI interface on the affected device. An exploit could allow the attacker to cause a lockup and eventual reload of an NP chip and a line card, leading to a denial of service (DoS) condition.

Conditions

Only Typhoon-based line cards on Cisco ASR 9000 Series Aggregation Services Routers are affected by this vulnerability. L3 output interface is a bridged virtual interface (BVI) L2 output interface (access circuit of the bridge domain) is on a Typhoon line card. In the MPLS VPN scenario: routers are not exposed if the MPLS label allocation is per VRF. Per-VRF allocation is the only supported model with BVI, i.e. MPLS VPN customers are exposed only if they run an unsupported configuration. Restriction is documented on CCO. In the MPLS VPN scenario: routers are exposed if labels are allocated for prefixes learned via BVI. MPLS LDP does not need to be enabled on BVI.

Workaround

In MPLS VPN: configure the per-VRF label allocation. In MPLS without VPN: disable label allocation for prefixes learned via BVI. This should not cause an issue because MPLS without VPN is not a common deployment scenario. PSIRT Evaluation: The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5.7/4.7: http://tools.cisco.com/security/center/cvssCalculator.x?vector=AV:A/AC:M/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C&version=2.0 CVE ID CVE-2014-3321 has been assigned to document this issue. Additional details about the vulnerability described here can be found at: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3321 Additional information on Cisco's security vulnerability policy can be found at the following URL: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCuo91149

MPLS packet via BVI interface may cause NP reset on Enhanced Ethernet LC

Cisco - Defect ID: CSCuo91149

MPLS packet via BVI interface may cause NP reset on Enhanced Ethernet LC

Last updated on 4/22/2022

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?