Day: July 8, 2021

Cisco IOS and IOS XE Software Bidirectional Forwarding Detection Denial of Service Vulnerability

This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS Software or Cisco IOS XE Software and the BFD feature is enabled:

Catalyst 4500 Supervisor Engine 6-E (K5)
Catalyst 4500 Supervisor Engine 6L-E (K10)
Catalyst 4500 Supervisor Engine 7-E (K10)
Catalyst 4500 Supervisor Engine 7L-E (K10)
Catalyst 4500E Supervisor Engine 8-E (K10)
Catalyst 4500E Supervisor Engine 8L-E (K10)
Catalyst 4500E Supervisor Engine 9-E (K10)
Catalyst 4500-X Series Switches (K10)
Catalyst 4900M Switch (K5)
Catalyst 4948E Ethernet Switch (K5)

This vulnerability can be exploited only if the BFD feature is enabled on an affected device. The BFD feature is enabled by default in Cisco IOS Software and Cisco IOS XE Software if the software is running an IP Base (ipbase) package license or a higher license. The BFD feature is not supported by a LAN Base (lanbase) package license. For more information, see LAN Base, IP Base, and Enterprise Services Image Support.
For information about which Cisco IOS and IOS XE Software releases are vulnerable, see the Fixed Software section of this advisory.
Determining Whether the BFD Feature Is Enabled
To determine whether the BFD feature is enabled on a device, administrators can use the show running-config | include feature bfd command in privileged EXEC mode. The following example shows the output of the show running-config | include feature bfd command on a Cisco Catalyst Switch that has the BFD feature disabled:

switch# show running-config | include feature bfd platform module all feature bfd disable platform module feature bfd disable platform feature bfd disable feature bfd disable

Empty output from the show running-config | include feature bfd command would indicate that the BFD feature is enabled.
Determining Which Package License Is Enabled
To determine which package license is enabled on a device, administrators can use the show license feature command in privileged EXEC mode. The following example shows the output of the show license feature command on a Cisco Catalyst Switch that has the IP Base (ipbase) package license enabled:

C4500# show license feature

Feature name Enforcement Evaluation Clear Allowed Enabled Right…
——————————————————————————
entservices true true true false true
ipbase true false true true false
lanbase false false true false false
internal_service true false true false false

If a software release does not support the show license feature command, administrators can determine which package license is enabled on a device by identifying the type of software image that is currently running on the device. To identify the type of software image that is running on a device, administrators can use the show version | include image command in privileged EXEC mode. The following example shows the output of the show version | include image command on a Cisco Catalyst Switch that is running a software image that has the LAN Base (lanbase) package license enabled:

C4948E# show version | include image

System image file is “bootflash:cat4500e-lanbasek9-mz.151-2.SG3.bin”

Determining the Cisco IOS Software Release
To determine which Cisco IOS Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS Software, the system banner displays text similar to Cisco Internetwork Operating System Software or Cisco IOS Software. The banner also displays the installed image name in parentheses, followed by the Cisco IOS Software release number and release name. Some Cisco devices do not support the show version command or may provide different output.
The following example shows the output of the command for a device that is running Cisco IOS Software Release 15.5(2)T1 and has an installed image name of C2951-UNIVERSALK9-M:

Router > show version

Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.5(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Mon 22-Jun-15 09:32 by prod_rel_team
.
.
.

For information about the naming and numbering conventions for Cisco IOS Software releases, see the Cisco IOS and NX-OS Software Reference Guide.Determining the Cisco IOS XE Software Release
To determine which Cisco IOS XE Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and then refer to the system banner that appears. If the device is running Cisco IOS XE Software, the system banner displays Cisco IOS Software, Cisco IOS XE Software, or similar text.
The following example shows the output of the command for a device that is running Cisco IOS XE Software Release 16.2.1 and has an installed image name of CAT3K_CAA-UNIVERSALK9-M:

ios-xe-device# show version

Cisco IOS Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version Denali 16.2.1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Sun 27-Mar-16 21:47 by mcpre
.
.
.

For information about the naming and numbering conventions for Cisco IOS XE Software releases, see the Cisco IOS and NX-OS Software Reference Guide.

No other Cisco products are currently known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the Cisco Catalyst 4500 Series Supervisor Engine V-10GE (K2) or the Cisco Catalyst 4948 Switch (K2).
Cisco has also confirmed that this vulnerability does not affect Cisco IOS XR Software or Cisco NX-OS Software.