[nsp-sec] mpls MFI dos

[Ilker Temir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Note: This is going outside of NSP-SEC vetted membership as well.
> 
> Can this vulnerability be ticketed by someone injecting [crafted packet] at the CPE or PE that then becomes a label-switched packet?  IE; remote or datacenter customer with

No, this won't be possible. An attacker needs to inject MPLS packets to
trigger this.

Thanks,

Ilker

>  an ethernet hand-off?
> 
> John
> 
> 
> Ilker Temir wrote:
>> ----------- nsp-security Confidential --------
> 
>> Don, All,
> 
>> As you can appreciate we cannot share the exact details of the offending
>> packet. But I can confirm that the trigger is a malformed MPLS packet.
>> Such packets need to be crafted specifically. This issue will not be
>> triggered by normal/legitimate MPLS packets.
> 
>> Hope this answers your question.
> 
>> Thanks,
> 
>> Ilker
> 
>>> Ok I will try it then. NSP security team-mates this is NOT limited to
>>> nsp-sec members only.
>>> Replies to this will also go to the cisco psirt team. Since my qwestion
>>> is for them but the answer is likely to affect you I will reply to Wendy
>>> (whom I trust and who has been vetted) and the rest of the cisco psirt
>>> team:)
> 
>>> "In newer versions of Cisco IOS software, a new packet forwarding
>>> infrastructure was introduced to improve scalability and performance.
>>> This forwarding infrastructure, called MFI, is transparent to the user.
>>> MFI manages MPLS data structures used for forwarding and replaces the
>>> older implementation, Label Forwarding Information Base (LFIB). Cisco
>>> IOS MFI implementation is vulnerable to a DoS attack from specially
>>> crafted packets that are handled in the software path, including transit
>>> packets that are handled in the software path. Such packets can be sent
>>> from the local segment to the interfaces that are configured for MPLS or
>>> via tunnel interfaces that are configured for MPLS. To target a remote
>>> system in an MPLS network, an attacker needs to have access to the MPLS
>>> network through an MPLS-enabled interface. MPLS packets are dropped on
>>> interfaces that are not configured for MPLS"
>>> What is the nature of "the specially crafted packets that are handled in
>>> the software path".
>>> It sounds like they have to be mpls packets. Clearly they can be transit
>>> packets. Software path implies they are not normally handled on the line
>>> card. I assume it isn't EVERY mpls packet that travels via the software
>>> path.  
>>> Security through obscurity WORKS against some worms and ssh attacks:)
>>> Donald.Smith at qwest.com giac 
>>>> -----Original Message-----
>>>> From: Wendy Garvin [mailto:wgarvin at cisco.com] 
>>>> Sent: Wednesday, September 24, 2008 11:39 AM
>>>> To: Smith, Donald
>>>> Cc: psirt at cisco.com; nsp-security at puck.nether.net
>>>> Subject: Re: [nsp-sec] Cisco Security Advisory: Cisco 10000, 
>>>> uBR10012,uBR7200 Series Devices IPC Vulnerability
>>>>
>>>>
>>>> Don,
>>>>
>>>> Appreciate the feedback. 
>>>>
>>>> We've worked to rotate our team members through nsp-sec, so 
>>>> although not
>>>> all of us are on the list, most of us have been vetted. We 
>>>> can continue
>>>> that process with a new batch of members, but we really, really don't
>>>> want a single point of failure for responses to our advisories.
>>>>
>>>> I think in this case we're going to trust the nsp-sec membership to be
>>>> careful about their conversations with us, because to us 
>>>> that's less of
>>>> a risk than missing an important question and leaving one of our
>>>> customers without support.
>>>>
>>>> Thanks,
>>>>
>>>> -Wendy
>>>>
>>>>> Smith, Donald <Donald.Smith at qwest.com> [2008-09-24 10:21] wrote:
>>>>> While I appreciate seeing these hit our list I am not sure it is
>>>>> appropriate for the response address to be the psirt team since the
>>>>> cisco psirt team isn't signed up to the nsp list.
>>>>>
>>>>> Anyone responding to this message MIGHT accidentally 
>>>> violate our sharing
>>>>> framework.
>>>>>
>>>>> In the future I recommend you send this with a reply to 
>>>> address of psirt
>>>>> members that have been vetted onto the nsp sec list.
>>>>>
>>>>>
>>>>> Security through obscurity WORKS against some worms and ssh 
>>>> attacks:)
>>>>> Donald.Smith at qwest.com giac 
>>>>>
>>>>>
>>>>> This communication is the property of Qwest and may contain 
>>>> confidential or
>>>>> privileged information. Unauthorized use of this 
>>>> communication is strictly 
>>>>> prohibited and may be unlawful.  If you have received this 
>>>> communication 
>>>>> in error, please immediately notify the sender by reply 
>>>> e-mail and destroy 
>>>>> all copies of the communication and any attachments.
>>>>> [    ----- End of Included Message -----    ]
>>>> -- 
>>>> Wendy Garvin - Cisco PSIRT - 408 525-1888 . : | : .
>>>> ----------------------------------------------------
>>>>            http://www.cisco.com/go/psirt
>>>>
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjbnVIACgkQ8/wE0ppYtwVGWQCg3THUxz2BLvcC2/XH34grYHQO
L1gAoM/1c/enU8go6PQzzFw2akFGKHNj
=sQ6P
-----END PGP SIGNATURE-----