Software Engineering Institute

Notified:  June 06, 2011 Updated: July 25, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Technical Support Bulletin

July 21, 2011

TSB
2011-118-A                                                                  
SEVERITY:  High – Operational

PRODUCTS AFFECTED:

BigIron RX running all releases.

CORRECTED IN RELEASE:

Will be fixed in RX 2.7.02l, 2.7.03b, and 2.8.00a releases.

Bulletin Overview

BigIron RX switch does not properly restrict packets sent with a source port of 179. Port 179 is commonly used for Border Gateway Protocol (BGP) communication. These packets are allowed through the system. This has been reported by US-CERT http://www.kb.cert.org/vuls/id/853246

Brocade produces and publishes Technical Support Bulletins to OEMs, partners and customers that have a direct, entitled, support relationship in place with Brocade.

Please contact your primary service provider for further information regarding this topic and applicability for your environment.

Problem Statement

BigIron RX switch does not properly restrict packets sent with a source port of 179. Port 179 is commonly used for Border Gateway Protocol (BGP) communication. These packets are allowed through the system. This has been reported by US-CERT http://www.kb.cert.org/vuls/id/853246

The BigIron RX is using internal ACLs to set the priority of BGP traffic that is received on an interface.  This priority is given to traffic sent or received by a peer.  This priority is used internally in the RX when packets
are forwarded both through the switch and to the control CPU.  This is done to prefer BGP control traffic over other non-control traffic.

ACLs are processed using a CAM (Content Addressable Memory) in the RX.  A CAM works by comparing entries sequentially.  The internal ACL is located in the first area of the CAM before user ACLs.  So when a user ACL to deny BGP traffic is added it does not get used because the internal ACL is processed first.

Risk assessment

Some unwanted TCP packets may be forwarded by the BigIron RX.  This could present a security violation for the customer.

Symptoms

ACLs added by the customer to restrict certain types of TCP traffic from being forwarded by the BigIron RX may not work.  For example, if a customer added an ACL to drop all BGP traffic on an interface, it will not work.

Workaround

No workaround.

Corrective Action

Software defect 355173 has been created for this issue.  This fix will be available in the following patch releases; RX 2.8.00a, 2.7.03b, and 2.7.02l.