Notified:  June 06, 2011 Updated: July 25, 2011

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Technical Support Bulletin July 21, 2011 TSB 2011-118-A                                                                   SEVERITY:  High – Operational PRODUCTS AFFECTED: BigIron RX running all releases. CORRECTED IN RELEASE: Will be fixed in RX 2.7.02l, 2.7.03b, and 2.8.00a releases. Bulletin Overview BigIron RX switch does not properly restrict packets sent with a source port of 179. Port 179 is commonly used for Border Gateway Protocol (BGP) communication. These packets are allowed through the system. This has been reported by US-CERT http://www.kb.cert.org/vuls/id/853246 Brocade produces and publishes Technical Support Bulletins to OEMs, partners and customers that have a direct, entitled, support relationship in place with Brocade. Please contact your primary service provider for further information regarding this topic and applicability for your environment. Problem Statement BigIron RX switch does not properly restrict packets sent with a source port of 179. Port 179 is commonly used for Border Gateway Protocol (BGP) communication. These packets are allowed through the system. This has been reported by US-CERT http://www.kb.cert.org/vuls/id/853246 The BigIron RX is using internal ACLs to set the priority of BGP traffic that is received on an interface.  This priority is given to traffic sent or received by a peer.  This priority is used internally in the RX when packets are forwarded both through the switch and to the control CPU.  This is done to prefer BGP control traffic over other non-control traffic. ACLs are processed using a CAM (Content Addressable Memory) in the RX.  A CAM works by comparing entries sequentially.  The internal ACL is located in the first area of the CAM before user ACLs.  So when a user ACL to deny BGP traffic is added it does not get used because the internal ACL is processed first. Risk assessment Some unwanted TCP packets may be forwarded by the BigIron RX.  This could present a security violation for the customer. Symptoms ACLs added by the customer to restrict certain types of TCP traffic from being forwarded by the BigIron RX may not work.  For example, if a customer added an ACL to drop all BGP traffic on an interface, it will not work. Workaround No workaround. Corrective Action Software defect 355173 has been created for this issue.  This fix will be available in the following patch releases; RX 2.8.00a, 2.7.03b, and 2.7.02l.