[nsp-sec] mpls MFI dos

[Ilker Temir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> On Wed, 24 Sep 2008, Ilker Temir wrote:
> 
>> ----------- nsp-security Confidential --------
>>
> Don, All,
> 
> As you can appreciate we cannot share the exact details of the offending
> packet. But I can confirm that the trigger is a malformed MPLS packet.
> Such packets need to be crafted specifically. This issue will not be
> triggered by normal/legitimate MPLS packets.
> 
> Hope this answers your question.
> 
>> sure.. what about corrupted packets leaving an interface though? so, is
>> this a controlplane packet? (rsvp/ldp or even mpbgp?) or is this a
>> labelled data packet?

It can't be triggered by control plane packets. Trigger is a malformed
labeled packet.

Thanks,

Ilker

> Thanks,
> 
> Ilker
> 
>>>> Ok I will try it then. NSP security team-mates this is NOT limited to
>>>> nsp-sec members only.
>>>>
>>>> Replies to this will also go to the cisco psirt team. Since my qwestion
>>>> is for them but the answer is likely to affect you I will reply to Wendy
>>>> (whom I trust and who has been vetted) and the rest of the cisco psirt
>>>> team:)
>>>>
>>>>
>>>> "In newer versions of Cisco IOS software, a new packet forwarding
>>>> infrastructure was introduced to improve scalability and performance.
>>>> This forwarding infrastructure, called MFI, is transparent to the user.
>>>> MFI manages MPLS data structures used for forwarding and replaces the
>>>> older implementation, Label Forwarding Information Base (LFIB). Cisco
>>>> IOS MFI implementation is vulnerable to a DoS attack from specially
>>>> crafted packets that are handled in the software path, including transit
>>>> packets that are handled in the software path. Such packets can be sent
>>>> from the local segment to the interfaces that are configured for MPLS or
>>>> via tunnel interfaces that are configured for MPLS. To target a remote
>>>> system in an MPLS network, an attacker needs to have access to the MPLS
>>>> network through an MPLS-enabled interface. MPLS packets are dropped on
>>>> interfaces that are not configured for MPLS"
>>>>
>>>> What is the nature of "the specially crafted packets that are handled in
>>>> the software path".
>>>> It sounds like they have to be mpls packets. Clearly they can be transit
>>>> packets. Software path implies they are not normally handled on the line
>>>> card. I assume it isn't EVERY mpls packet that travels via the software
>>>> path.
>>>>
>>>> Security through obscurity WORKS against some worms and ssh attacks:)
>>>> Donald.Smith at qwest.com giac
>>>>
>>>>> -----Original Message-----
>>>>> From: Wendy Garvin [mailto:wgarvin at cisco.com]
>>>>> Sent: Wednesday, September 24, 2008 11:39 AM
>>>>> To: Smith, Donald
>>>>> Cc: psirt at cisco.com; nsp-security at puck.nether.net
>>>>> Subject: Re: [nsp-sec] Cisco Security Advisory: Cisco 10000,
>>>>> uBR10012,uBR7200 Series Devices IPC Vulnerability
>>>>>
>>>>>
>>>>> Don,
>>>>>
>>>>> Appreciate the feedback.
>>>>>
>>>>> We've worked to rotate our team members through nsp-sec, so
>>>>> although not
>>>>> all of us are on the list, most of us have been vetted. We
>>>>> can continue
>>>>> that process with a new batch of members, but we really, really don't
>>>>> want a single point of failure for responses to our advisories.
>>>>>
>>>>> I think in this case we're going to trust the nsp-sec membership to be
>>>>> careful about their conversations with us, because to us
>>>>> that's less of
>>>>> a risk than missing an important question and leaving one of our
>>>>> customers without support.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Wendy
>>>>>
>>>>>> Smith, Donald <Donald.Smith at qwest.com> [2008-09-24 10:21] wrote:
>>>>>> While I appreciate seeing these hit our list I am not sure it is
>>>>>> appropriate for the response address to be the psirt team since the
>>>>>> cisco psirt team isn't signed up to the nsp list.
>>>>>>
>>>>>> Anyone responding to this message MIGHT accidentally
>>>>> violate our sharing
>>>>>> framework.
>>>>>>
>>>>>> In the future I recommend you send this with a reply to
>>>>> address of psirt
>>>>>> members that have been vetted onto the nsp sec list.
>>>>>>
>>>>>>
>>>>>> Security through obscurity WORKS against some worms and ssh
>>>>> attacks:)
>>>>>> Donald.Smith at qwest.com giac
>>>>>>
>>>>>>
>>>>>> This communication is the property of Qwest and may contain
>>>>> confidential or
>>>>>> privileged information. Unauthorized use of this
>>>>> communication is strictly
>>>>>> prohibited and may be unlawful.  If you have received this
>>>>> communication
>>>>>> in error, please immediately notify the sender by reply
>>>>> e-mail and destroy
>>>>>> all copies of the communication and any attachments.
>>>>>> [    ----- End of Included Message -----    ]
>>>>> -- 
>>>>> Wendy Garvin - Cisco PSIRT - 408 525-1888 . : | : .
>>>>> ----------------------------------------------------
>>>>>            http://www.cisco.com/go/psirt
>>>>>
>>
>>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
>>
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet
security counter-measures.
_______________________________________________
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjbnEQACgkQ8/wE0ppYtwUzrQCfUexFjIEbK0+EnQNe+dGOz+lK
mXAAnipzr3Yo2Crzy//0rPdfxoZBUtMk
=yZMX
-----END PGP SIGNATURE-----