HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-154
Cisco IOS Multiprotocol Label Switching Virtual Private Network Information Disclosure Issue

Original Issue Date:October 10, 2008

Severity Rating: High

Systems Affected

  • Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for MPLS( Multiprotocol Label Switching) VPNs ( Virtual Private Networks ) or VRF ( VPN Routing and Forwarding ) Lite.

Overview

A vulnerability has been reported in CISCO IOS Software that could allow an attacker to view sensitive information. Depending on the information that was leaked, the malicious user may be able to perform other malicious activity against the target device or network.

Description

 A vulnerability has been reported in the Cisco IOS configured for Multi Protocol Label Switching (MPLS) Virtual Private Neworks (VPN) or VPN Routing and Forwarding Lite (VRF Lite). The affected devices must also use Border Gateway Protocol ( BGP ) to communicate between Customer Edge (CE) and Provider Edge (PE) devices. The vulnerability exists due to a “logic error” when handling extended communities in MPLS VPN sessions. The affected device may use a corrupted route target (RT) which allows a remote attacker to read traffic from other VPNs.

Workaround

  • Cisco IOS that support filtering of extended communities can prevent the corruption of the route target (RT) by applying a BGP route-map that removes RT entries on inbound BGP sessions.

Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory.
http://www.cisco.com/en/US/products/products_security_advisory
09186a0080a014a9.shtml

Vendor Information

CISCO
http://www.cisco.com/en/US/products/products_security_advisory
09186a0080a014a9.shtml

References

 CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=16669

Secunia
http://secunia.com/advisories/cve_reference/CVE-2008-3803/

CVE Name
CVE-2008-3803

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003