Vulnerability CVE-2019-1849


Published: 2019-05-15   Modified: 2019-05-16

Description:
A vulnerability in the Border Gateway Patrol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to a logic error that occurs when the affected software processes specific EVPN routing information. An attacker could exploit this vulnerability by injecting malicious traffic patterns into the targeted EVPN network. A successful exploit could result in a crash of the l2vpn_mgr process on Provider Edge (PE) device members of the same EVPN instance (EVI). On each of the affected devices, a crash could lead to system instability and the inability to process or forward traffic through the device, resulting in a DoS condition that would require manual intervention to restore normal operating conditions.

Type:

CWE-754

Vendor: Cisco
Product: Ios xr 
Version:
6.4.1_base
6.2.1
6.1.1
6.1.0

CVSS2 => (AV:A/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.1/10
6.9/10
6.5/10
Exploit range
Attack complexity
Authentication
Adjacent network
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
http://www.securityfocus.com/bid/108342
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-iosxr-evpn-dos

Related CVE
CVE-2019-1915
A vulnerability in the web-based interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition (SME), Cisco Unified Communications Manager IM and Presence (Unified CM IM&P) Service, and Cisco U...
CVE-2019-15272
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to bypass security restrictions. The vulnerab...
CVE-2019-15259
A vulnerability in Cisco Unified Contact Center Express (UCCX) Software could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. The vulnerability is due to insufficient input validation of some parameters that ar...
CVE-2019-15256
A vulnerability in the Internet Key Exchange version 1 (IKEv1) feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a reload of an aff...
CVE-2019-12716
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attac...
CVE-2019-12715
A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attac...
CVE-2019-12713
A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected so...
CVE-2019-12712
A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of the affected so...

Copyright 2019, cxsecurity.com

 

Back to Top