CVE-2009-2055

Name of the Vulnerable Software and Affected Versions Cisco IOS XR versions 3.4.0 through 3.8.1

Description The issue allows remote attackers to cause a denial of service (session reset) via a BGP UPDATE message with an invalid attribute. This was demonstrated in the wild on 17 August 2009. The vulnerability manifests when a BGP peer announces a prefix with a specific invalid attribute, causing the Cisco IOS XR device to restart the peering session. Additionally, the Cisco IOS XR BGP process may crash when sending a long length BGP update message or when constructing a BGP update with a large number of AS prepends.

Recommendations For Cisco IOS XR versions 3.4.0 through 3.8.1, apply the free software maintenance upgrade (SMU) released by Cisco to address these vulnerabilities. As a temporary workaround, consider implementing workarounds that mitigate these vulnerabilities, such as restricting BGP update messages or limiting the number of AS prepends.