[nsp-sec] mpls MFI dos

Chris Morrow morrowc at ops-netman.net
Wed Sep 24 16:55:32 EDT 2008 


On Wed, 24 Sep 2008, Ilker Temir wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Don, All,
>
> As you can appreciate we cannot share the exact details of the offending
> packet. But I can confirm that the trigger is a malformed MPLS packet.
> Such packets need to be crafted specifically. This issue will not be
> triggered by normal/legitimate MPLS packets.
>
> Hope this answers your question.

sure.. what about corrupted packets leaving an interface though? so, is 
this a controlplane packet? (rsvp/ldp or even mpbgp?) or is this a 
labelled data packet?

>
> Thanks,
>
> Ilker
>
>> Ok I will try it then. NSP security team-mates this is NOT limited to
>> nsp-sec members only.
>>
>> Replies to this will also go to the cisco psirt team. Since my qwestion
>> is for them but the answer is likely to affect you I will reply to Wendy
>> (whom I trust and who has been vetted) and the rest of the cisco psirt
>> team:)
>>
>>
>> "In newer versions of Cisco IOS software, a new packet forwarding
>> infrastructure was introduced to improve scalability and performance.
>> This forwarding infrastructure, called MFI, is transparent to the user.
>> MFI manages MPLS data structures used for forwarding and replaces the
>> older implementation, Label Forwarding Information Base (LFIB). Cisco
>> IOS MFI implementation is vulnerable to a DoS attack from specially
>> crafted packets that are handled in the software path, including transit
>> packets that are handled in the software path. Such packets can be sent
>> from the local segment to the interfaces that are configured for MPLS or
>> via tunnel interfaces that are configured for MPLS. To target a remote
>> system in an MPLS network, an attacker needs to have access to the MPLS
>> network through an MPLS-enabled interface. MPLS packets are dropped on
>> interfaces that are not configured for MPLS"
>>
>> What is the nature of "the specially crafted packets that are handled in
>> the software path".
>> It sounds like they have to be mpls packets. Clearly they can be transit
>> packets. Software path implies they are not normally handled on the line
>> card. I assume it isn't EVERY mpls packet that travels via the software
>> path.
>>
>> Security through obscurity WORKS against some worms and ssh attacks:)
>> Donald.Smith at qwest.com giac
>>
>>> -----Original Message-----
>>> From: Wendy Garvin [mailto:wgarvin at cisco.com]
>>> Sent: Wednesday, September 24, 2008 11:39 AM
>>> To: Smith, Donald
>>> Cc: psirt at cisco.com; nsp-security at puck.nether.net
>>> Subject: Re: [nsp-sec] Cisco Security Advisory: Cisco 10000,
>>> uBR10012,uBR7200 Series Devices IPC Vulnerability
>>>
>>>
>>> Don,
>>>
>>> Appreciate the feedback.
>>>
>>> We've worked to rotate our team members through nsp-sec, so
>>> although not
>>> all of us are on the list, most of us have been vetted. We
>>> can continue
>>> that process with a new batch of members, but we really, really don't
>>> want a single point of failure for responses to our advisories.
>>>
>>> I think in this case we're going to trust the nsp-sec membership to be
>>> careful about their conversations with us, because to us
>>> that's less of
>>> a risk than missing an important question and leaving one of our
>>> customers without support.
>>>
>>> Thanks,
>>>
>>> -Wendy
>>>
>>>> Smith, Donald <Donald.Smith at qwest.com> [2008-09-24 10:21] wrote:
>>>> While I appreciate seeing these hit our list I am not sure it is
>>>> appropriate for the response address to be the psirt team since the
>>>> cisco psirt team isn't signed up to the nsp list.
>>>>
>>>> Anyone responding to this message MIGHT accidentally
>>> violate our sharing
>>>> framework.
>>>>
>>>> In the future I recommend you send this with a reply to
>>> address of psirt
>>>> members that have been vetted onto the nsp sec list.
>>>>
>>>>
>>>> Security through obscurity WORKS against some worms and ssh
>>> attacks:)
>>>> Donald.Smith at qwest.com giac
>>>>
>>>>
>>>> This communication is the property of Qwest and may contain
>>> confidential or
>>>> privileged information. Unauthorized use of this
>>> communication is strictly
>>>> prohibited and may be unlawful.  If you have received this
>>> communication
>>>> in error, please immediately notify the sender by reply
>>> e-mail and destroy
>>>> all copies of the communication and any attachments.
>>>> [    ----- End of Included Message -----    ]
>>> --
>>> Wendy Garvin - Cisco PSIRT - 408 525-1888 . : | : .
>>> ----------------------------------------------------
>>>            http://www.cisco.com/go/psirt
>>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjam8oACgkQ8/wE0ppYtwX5ngCgzz0dBg7uM7gt71Gjxd+QoKrh
> M0oAoIGk/G54B5kvA8mluoZhu4JsPTPu
> =Rsp4
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list