[nsp-sec] mpls MFI dos

Ilker Temir itemir at cisco.com
Wed Sep 24 15:58:02 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Don, All,

As you can appreciate we cannot share the exact details of the offending
packet. But I can confirm that the trigger is a malformed MPLS packet.
Such packets need to be crafted specifically. This issue will not be
triggered by normal/legitimate MPLS packets.

Hope this answers your question.

Thanks,

Ilker

> Ok I will try it then. NSP security team-mates this is NOT limited to
> nsp-sec members only.
> 
> Replies to this will also go to the cisco psirt team. Since my qwestion
> is for them but the answer is likely to affect you I will reply to Wendy
> (whom I trust and who has been vetted) and the rest of the cisco psirt
> team:)
> 
> 
> "In newer versions of Cisco IOS software, a new packet forwarding
> infrastructure was introduced to improve scalability and performance.
> This forwarding infrastructure, called MFI, is transparent to the user.
> MFI manages MPLS data structures used for forwarding and replaces the
> older implementation, Label Forwarding Information Base (LFIB). Cisco
> IOS MFI implementation is vulnerable to a DoS attack from specially
> crafted packets that are handled in the software path, including transit
> packets that are handled in the software path. Such packets can be sent
> from the local segment to the interfaces that are configured for MPLS or
> via tunnel interfaces that are configured for MPLS. To target a remote
> system in an MPLS network, an attacker needs to have access to the MPLS
> network through an MPLS-enabled interface. MPLS packets are dropped on
> interfaces that are not configured for MPLS"
> 
> What is the nature of "the specially crafted packets that are handled in
> the software path".
> It sounds like they have to be mpls packets. Clearly they can be transit
> packets. Software path implies they are not normally handled on the line
> card. I assume it isn't EVERY mpls packet that travels via the software
> path.  
> 
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com giac 
> 
>> -----Original Message-----
>> From: Wendy Garvin [mailto:wgarvin at cisco.com] 
>> Sent: Wednesday, September 24, 2008 11:39 AM
>> To: Smith, Donald
>> Cc: psirt at cisco.com; nsp-security at puck.nether.net
>> Subject: Re: [nsp-sec] Cisco Security Advisory: Cisco 10000, 
>> uBR10012,uBR7200 Series Devices IPC Vulnerability
>>
>>
>> Don,
>>
>> Appreciate the feedback. 
>>
>> We've worked to rotate our team members through nsp-sec, so 
>> although not
>> all of us are on the list, most of us have been vetted. We 
>> can continue
>> that process with a new batch of members, but we really, really don't
>> want a single point of failure for responses to our advisories.
>>
>> I think in this case we're going to trust the nsp-sec membership to be
>> careful about their conversations with us, because to us 
>> that's less of
>> a risk than missing an important question and leaving one of our
>> customers without support.
>>
>> Thanks,
>>
>> -Wendy
>>
>>> Smith, Donald <Donald.Smith at qwest.com> [2008-09-24 10:21] wrote:
>>> While I appreciate seeing these hit our list I am not sure it is
>>> appropriate for the response address to be the psirt team since the
>>> cisco psirt team isn't signed up to the nsp list.
>>>
>>> Anyone responding to this message MIGHT accidentally 
>> violate our sharing
>>> framework.
>>>
>>> In the future I recommend you send this with a reply to 
>> address of psirt
>>> members that have been vetted onto the nsp sec list.
>>>
>>>
>>> Security through obscurity WORKS against some worms and ssh 
>> attacks:)
>>> Donald.Smith at qwest.com giac 
>>>
>>>
>>> This communication is the property of Qwest and may contain 
>> confidential or
>>> privileged information. Unauthorized use of this 
>> communication is strictly 
>>> prohibited and may be unlawful.  If you have received this 
>> communication 
>>> in error, please immediately notify the sender by reply 
>> e-mail and destroy 
>>> all copies of the communication and any attachments.
>>> [    ----- End of Included Message -----    ]
>> -- 
>> Wendy Garvin - Cisco PSIRT - 408 525-1888 . : | : .
>> ----------------------------------------------------
>>            http://www.cisco.com/go/psirt
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjam8oACgkQ8/wE0ppYtwX5ngCgzz0dBg7uM7gt71Gjxd+QoKrh
M0oAoIGk/G54B5kvA8mluoZhu4JsPTPu
=Rsp4
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list