[nsp-sec] mpls MFI dos

John Fraizer john at op-sec.us
Wed Sep 24 16:54:15 EDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Note: This is going outside of NSP-SEC vetted membership as well.

Can this vulnerability be ticketed by someone injecting [crafted packet] at the CPE or PE that then becomes a label-switched packet?  IE; remote or datacenter customer with
 an ethernet hand-off?

John


Ilker Temir wrote:
> ----------- nsp-security Confidential --------
> 
> Don, All,
> 
> As you can appreciate we cannot share the exact details of the offending
> packet. But I can confirm that the trigger is a malformed MPLS packet.
> Such packets need to be crafted specifically. This issue will not be
> triggered by normal/legitimate MPLS packets.
> 
> Hope this answers your question.
> 
> Thanks,
> 
> Ilker
> 
>> Ok I will try it then. NSP security team-mates this is NOT limited to
>> nsp-sec members only.
> 
>> Replies to this will also go to the cisco psirt team. Since my qwestion
>> is for them but the answer is likely to affect you I will reply to Wendy
>> (whom I trust and who has been vetted) and the rest of the cisco psirt
>> team:)
> 
> 
>> "In newer versions of Cisco IOS software, a new packet forwarding
>> infrastructure was introduced to improve scalability and performance.
>> This forwarding infrastructure, called MFI, is transparent to the user.
>> MFI manages MPLS data structures used for forwarding and replaces the
>> older implementation, Label Forwarding Information Base (LFIB). Cisco
>> IOS MFI implementation is vulnerable to a DoS attack from specially
>> crafted packets that are handled in the software path, including transit
>> packets that are handled in the software path. Such packets can be sent
>> from the local segment to the interfaces that are configured for MPLS or
>> via tunnel interfaces that are configured for MPLS. To target a remote
>> system in an MPLS network, an attacker needs to have access to the MPLS
>> network through an MPLS-enabled interface. MPLS packets are dropped on
>> interfaces that are not configured for MPLS"
> 
>> What is the nature of "the specially crafted packets that are handled in
>> the software path".
>> It sounds like they have to be mpls packets. Clearly they can be transit
>> packets. Software path implies they are not normally handled on the line
>> card. I assume it isn't EVERY mpls packet that travels via the software
>> path.  
> 
>> Security through obscurity WORKS against some worms and ssh attacks:)
>> Donald.Smith at qwest.com giac 
> 
>>> -----Original Message-----
>>> From: Wendy Garvin [mailto:wgarvin at cisco.com] 
>>> Sent: Wednesday, September 24, 2008 11:39 AM
>>> To: Smith, Donald
>>> Cc: psirt at cisco.com; nsp-security at puck.nether.net
>>> Subject: Re: [nsp-sec] Cisco Security Advisory: Cisco 10000, 
>>> uBR10012,uBR7200 Series Devices IPC Vulnerability
>>>
>>>
>>> Don,
>>>
>>> Appreciate the feedback. 
>>>
>>> We've worked to rotate our team members through nsp-sec, so 
>>> although not
>>> all of us are on the list, most of us have been vetted. We 
>>> can continue
>>> that process with a new batch of members, but we really, really don't
>>> want a single point of failure for responses to our advisories.
>>>
>>> I think in this case we're going to trust the nsp-sec membership to be
>>> careful about their conversations with us, because to us 
>>> that's less of
>>> a risk than missing an important question and leaving one of our
>>> customers without support.
>>>
>>> Thanks,
>>>
>>> -Wendy
>>>
>>>> Smith, Donald <Donald.Smith at qwest.com> [2008-09-24 10:21] wrote:
>>>> While I appreciate seeing these hit our list I am not sure it is
>>>> appropriate for the response address to be the psirt team since the
>>>> cisco psirt team isn't signed up to the nsp list.
>>>>
>>>> Anyone responding to this message MIGHT accidentally 
>>> violate our sharing
>>>> framework.
>>>>
>>>> In the future I recommend you send this with a reply to 
>>> address of psirt
>>>> members that have been vetted onto the nsp sec list.
>>>>
>>>>
>>>> Security through obscurity WORKS against some worms and ssh 
>>> attacks:)
>>>> Donald.Smith at qwest.com giac 
>>>>
>>>>
>>>> This communication is the property of Qwest and may contain 
>>> confidential or
>>>> privileged information. Unauthorized use of this 
>>> communication is strictly 
>>>> prohibited and may be unlawful.  If you have received this 
>>> communication 
>>>> in error, please immediately notify the sender by reply 
>>> e-mail and destroy 
>>>> all copies of the communication and any attachments.
>>>> [    ----- End of Included Message -----    ]
>>> -- 
>>> Wendy Garvin - Cisco PSIRT - 408 525-1888 . : | : .
>>> ----------------------------------------------------
>>>            http://www.cisco.com/go/psirt
>>>

_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with PCLinuxOS - http://enigmail.mozdev.org

iD4DBQFI2qj3+16lRpJszIgRAomhAJjqNurReiOea8nrfNumR0A3cDUIAJ9pIhMW
XU+YUR2McHvDg+HVYVs1Gg==
=5+Fw
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list