Cisco has released software updates addressing a high-severity DOS vulnerability tracked as CVE-2023-20049 with a CVSS score of 8.6 out of 10. The vulnerability was discovered in the bidirectional forwarding detection (BFD) hardware offload feature of the IOS XR software used by the following Cisco products:
- ASR 9000 series aggregation services routers (only if they have a Lightspeed or Lightspeed-Plus-based line card installed)
- ASR 9902 compact high-performance routers
- ASR 9903 compact high-performance routers
According to the security advisory published by the company, the vulnerability was caused by the incorrect handling of malformed BFD packets received on line cards where the BFD hardware offload feature was enabled. This meant that a remote attacker could trigger the vulnerability by sending a maliciously crafted IPv4 BFD packet to a vulnerable device.
Once exploited, it would allow the attacker to cause line card exceptions or even a hard reset which can further result in loss of traffic over that specific line card while it reloads. However, the Cisco PSIRT is not aware of any public announcements or in-the-wild exploits of the vulnerability. Additionally, since it was found during the resolution of a Cisco Technical Assistance Center (TAC) support case, there’s a good chance that it just wasn’t discovered until now.
While the company has updated its IOS XR software to fix the flaw, there are workarounds available for those who can’t update right away. The first recommendation is to disable the BFD hardware offload feature altogether by removing the following command from the line card and resetting it afterwards.
hw-module bfw-hw-offload enable
Alternatively, users can also create infrastructure access control lists to limit the attack surface. However, keep in mind that this does not prevent exploitation from allowed peers and such lists are subject to spoofing.
In the News: Pixel 7a: Specs and design leaked