Vulnerabilities > CVE-2019-15989 - Improper Check for Unusual or Exceptional Conditions vulnerability in Cisco IOS XR

047910
CVSS 8.6 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
cisco
CWE-754
nessus

Summary

A vulnerability in the implementation of the Border Gateway Protocol (BGP) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of a BGP update message that contains a specific BGP attribute. An attacker could exploit this vulnerability by sending BGP update messages that include a specific, malformed attribute to be processed by an affected system. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic only from explicitly defined peers. To exploit this vulnerability, the malicious BGP update message would need to come from a configured, valid BGP peer or would need to be injected by the attacker into the victim’s BGP network on an existing, valid TCP connection to a BGP peer.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20200122-IOS-XR-BGP-DOS.NASL
descriptionAccording to its self-reported version, Cisco IOS XR Software is affected by a denial of service vulnerability. A remote attacker could exploit this vulnerability by sending specially crafted BGP update messages, which could cause the BGP process to restart, resulting in a denial of service. Please see the included Cisco BIDs and Cisco Security Advisory for more information
last seen2020-06-01
modified2020-06-02
plugin id133408
published2020-01-31
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/133408
titleCisco IOS XR Software Border Gateway Protocol Denial of Service Vulnerability (cisco-sa-20200122-ios-xr-bgp-dos)
code
#TRUSTED 669c769d2a82bac427366d58b26534daefb3a70f423da5c2d20597a3839d145556e663c4cc087e4fe4321f311290cf07b2a6f48739b3f5d9dea54d8bb461d24ae5ab956e65027a5435381438482831a0422ae4b1cb08799b5a9d7c00ea87a4c847ec2df360e12adeddbc941f0c5710c3c736bb5193de59c593b8185f4e117e6a1f984e995f79c3f6269dd19bdc2ebe0bc4c198ee75809f651e196cd4219221bb6b7de4a8da3f2ced9f2ae6c7e6104da5ceda46c4442f642ffe68bcc0e73c63392732a58691ef6ca6d87eb3362a2562e2cb204099cef724dab3ec4f5043dd958f223186f8cda98eafed33f82c7a6f0d74e72be932c8e61ea5d3c02748049a0713b49cf54643846bc23fa10e4ae03bb6cd25d8365553b97c004e5a054621fe98e7417fc2f009083de3a707ccc0c5ff444ba1a0df429e90cc02530264c2738e7b39279727b9f1cbc3c2aa15be86e8b5d103f3ea5338b6f15651e0605f73658145845a1348b755f1f66e907a40b8833b53c15f29ff6c7e880334a597890ac0a336c1bbc8165b7b7207e0486fb3074e6e7fab9e2ac6a377ac62f6bf11d725ea364dbf75a7455478599543f406d3be7a734bd7017fac13b608b519313be2db7d18193bbf93ab44e1637beead6bb033caab9e93a8850f0f2fa8c2bc3479c979368098c42b8293bbc61de003fc1dea2a98719e43af8cf6733e169c0044f6963024e86fe6
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(133408);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/26");

  script_cve_id("CVE-2019-15989");
  script_bugtraq_id(109043);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvr69950");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20200122-ios-xr-bgp-dos");
  script_xref(name:"IAVA", value:"2020-A-0041-S");

  script_name(english:"Cisco IOS XR Software Border Gateway Protocol Denial of Service Vulnerability (cisco-sa-20200122-ios-xr-bgp-dos)");
  script_summary(english:"Checks the version of Cisco IOS XR Software");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR Software is affected by a denial of service vulnerability. 
A remote attacker could exploit this vulnerability by sending specially crafted BGP update messages, which could
cause the BGP process to restart, resulting in a denial of service.

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200122-ios-xr-bgp-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?93dce29c");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr69950");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvr69950");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-15989");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/01/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/31");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version", "Settings/ParanoidReport");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:"Cisco IOS XR");
if (report_paranoia < 2) audit(AUDIT_PARANOID);

vuln_ranges = [
  {'min_ver' : '7.0.0',  'fix_ver' : '7.0.2'},
  {'min_ver' : '7.1.0',  'fix_ver' : '7.1.1'},
  {'min_ver' : '7.2.0',  'fix_ver' : '7.2.1'}
];

workarounds = make_list(CISCO_WORKAROUNDS['router_bgp']);
workaround_params = make_list();

reporting = make_array(
'port'     , 0,
'severity' , SECURITY_WARNING,
'version'  , product_info['version'],
'bug_id'   , 'CSCvr69950'
);

cisco::check_and_report(
    product_info:product_info,
    workarounds:workarounds,
    workaround_params:workaround_params,
    reporting:reporting,
    vuln_ranges:vuln_ranges
  );