CVE-2010-3035

What is Cisco IOS XR and BGP?

Cisco IOS XR is the operating system for Cisco's carrier-grade routers — the ASR 9000, CRS, and similar platforms that form the backbone of internet service providers, mobile carriers, and large enterprise networks. Unlike the original Cisco IOS used in enterprise switches and routers, IOS XR is a microkernel-based system designed for non-stop forwarding (NSF) and high availability in telecommunications infrastructure. BGP (Border Gateway Protocol) is the routing protocol that governs how traffic flows between autonomous systems on the internet — every ISP, cloud provider, and large enterprise uses BGP. Vulnerabilities that can crash BGP processes on carrier-grade IOS XR routers represent threats to internet backbone stability and regional connectivity.

Overview

CVE-2010-3035 is a high-severity denial-of-service vulnerability (CVSS 7.5) in Cisco IOS XR when BGP routing is configured. A remote attacker can send specially crafted BGP UPDATE messages to cause the routing process to crash, disrupting BGP sessions and potentially causing network outages. This is the second BGP DoS vulnerability in Cisco IOS XR added to the CISA KEV catalog — the earlier CVE-2009-2055 addressed a similar BGP UPDATE processing flaw discovered in 2009. CISA added CVE-2010-3035 and CVE-2009-2055 simultaneously in March 2022, reflecting continued concern about legacy carrier infrastructure running unpatched IOS XR.

Affected Versions

Note: Only devices configured with BGP as the routing protocol are affected. Cisco IOS XR devices without BGP are not vulnerable.

Technical Details

The vulnerability exists in Cisco IOS XR's BGP UPDATE message processing code. BGP UPDATE messages are used between BGP peers to advertise new routes or withdraw previously announced routes. Each UPDATE message contains Network Layer Reachability Information (NLRI) — the route prefixes being advertised — along with path attributes describing the route's characteristics.

The IOS XR BGP process does not adequately validate certain attribute combinations or field values in BGP UPDATE messages. A crafted UPDATE message containing specific malformed content triggers an error condition in the routing process that causes it to crash and restart. Because BGP processes in IOS XR manage established peer sessions and the router's routing table, a crash causes:

• All established BGP sessions to drop
• A BGP reconvergence period during which the router cannot forward traffic correctly
• Potential black-holing of traffic until sessions re-establish and the routing table repopulates

Unlike BGP route hijacking (which requires BGP peering), the question of whether an attacker needs to be a BGP peer to send a crafted UPDATE depends on the specific IOS XR configuration. Scenarios where BGP is configured to accept sessions from a broad range of peers increase exploitability.

Discovery

Identified during security research and testing of Cisco IOS XR BGP implementations. Cisco published a security advisory in August 2010 and released patches for affected IOS XR versions. CVE-2010-3035 follows the same vulnerability class as CVE-2009-2055 — suggesting that the fix for the earlier vulnerability did not fully address all malformed UPDATE processing paths.

Exploitation Context

BGP denial-of-service attacks against carrier infrastructure carry significant real-world impact:

• Carrier infrastructure targeting: IOS XR runs on routers carrying internet backbone traffic for major ISPs and telecommunications companies. A successful DoS attack against a carrier's BGP routers can cause regional internet outages affecting millions of users.
• Nation-state interest: BGP infrastructure is a high-priority target for nation-state actors seeking to disrupt communications. The KEV addition reflects CISA's assessment that this vulnerability in legacy IOS XR remains exploitable and of interest to sophisticated threat actors.
• Long upgrade cycles: Carrier-grade routers running IOS XR have notoriously long software upgrade cycles due to maintenance window constraints, qualification requirements, and service continuity concerns. IOS XR 3.x remained in production at some carriers well beyond its support lifecycle.
• Chaining with BGP hijacking: Crashing a competitor's or target's BGP processes could be a precursor to traffic interception or redirection, complementing other network-layer attacks.
• Simultaneous KEV addition with CVE-2009-2055: CISA's decision to add both CVE-2009-2055 and CVE-2010-3035 on the same date suggests intelligence or threat data indicating active exploitation of IOS XR BGP vulnerabilities against carrier infrastructure.

Remediation

1. Apply Cisco Security Advisory patch: Install the IOS XR software update specified in the Cisco security advisory for CVE-2010-3035.
2. Upgrade IOS XR: IOS XR 3.x is end-of-life. Upgrade to a supported IOS XR release on supported hardware.
3. BGP peer authentication: Enable BGP MD5 session authentication with all peers. While not a substitute for the patch, MD5 authentication prevents unauthenticated BGP sessions from delivering malformed UPDATE messages.
4. BGP prefix filtering: Deploy ingress BGP UPDATE filtering using prefix lists and maximum-prefix limits to reduce the attack surface from untrusted BGP peers.
5. Network access control: Restrict BGP TCP connections (port 179) at the router and perimeter to known BGP peer IP addresses only.