Vulnerabilities > CVE-2019-1849 - Improper Check for Unusual or Exceptional Conditions vulnerability in Cisco IOS XR

047910
CVSS 6.5 - MEDIUM
Attack vector
ADJACENT_NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
low complexity
cisco
CWE-754
nessus

Summary

A vulnerability in the Border Gateway Patrol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to a logic error that occurs when the affected software processes specific EVPN routing information. An attacker could exploit this vulnerability by injecting malicious traffic patterns into the targeted EVPN network. A successful exploit could result in a crash of the l2vpn_mgr process on Provider Edge (PE) device members of the same EVPN instance (EVI). On each of the affected devices, a crash could lead to system instability and the inability to process or forward traffic through the device, resulting in a DoS condition that would require manual intervention to restore normal operating conditions.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20190515-IOSXR-EVPN-DOS.NASL
descriptionAccording to its self-reported version, Cisco IOS XR Software is affected by a vulnerability in the Border Gateway Protocol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to a logic error that occurs when the affected software processes specific EVPN routing information. An attacker could exploit this vulnerability by injecting malicious traffic patterns into the targeted EVPN network. A successful exploit could result in a crash of the l2vpn_mgr process on Provider Edge (PE) device members of the same EVPN instance (EVI). On each of the affected devices, a crash could lead to system instability and the inability to process or forward traffic through the device, resulting in a DoS condition that would require manual intervention to restore normal operating conditions. Please see the included Cisco BIDs and Cisco Security Advisory for more information
last seen2020-03-17
modified2020-02-18
plugin id133726
published2020-02-18
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/133726
titleCisco IOS XR Software BGP MPLS-Based EVPN Denial of Service Vulnerability (cisco-sa-20190515-iosxr-evpn-dos)
code
#TRUSTED 84e3d00764e431b3be33ed7c280b469349bea2257b35a2cc9c82c2076fe7412a2ec9b8652ee91b84e00cb783fde5e42fde0e750fbe848cf2ea36e289d863965b2aa3a2c95d3e113e44ac50c48e20f5efd3300de93d0ae8c06f23b02e51302650b9f484100dac4b1c68490ba9229b4bb600cba5e5cedba378d73e608c6dc794e112e1b73367f131eb9b0a166287eb6b3b7967cf6e6d08f1a1793d792bb688ac2566e52b5c10f69a49487afccb634cb69e45009851a90cf446f54c38ab3dbfaf0f6d83762406c7a5fcd7a0722d6e75c1fd4b3606ea6955860e430ba818761878a0249feb26ab99c0346e4e171b481ee36d2a136156ca33a53650a5e467e74ef1e0b8a7d20f999f543ae4b69088594fa48a10f2d52007cacdafd1b7b83eab0b6d2ebcb855f074dcad04f16097949d8225727e26d17089a6ebce69b1aff1512e06c9de7771864a1a20e15f415ab276269208f3baae7c6169bcce4752bd945cd8346190db0c342ada152e1232101a2ad877075d4922a796777efcdc497f9f377d0c2093d236fd4dddcec7804e86de90ec0365504a2e49b42112dd10a14cff4a3f51c07758bc74678e9c553a150d453705082cb3b5d0784c37efefb93f24457a2bc5ce60e00bfd6a87b9d99c54770283d56d36a07d96b4351a520df7d0b324354cde3fc2f40cdb17122c3a99973d3bdae4a78327b5d7eed01f0e584a0fb13acba54a92
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(133726);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/19");

  script_cve_id("CVE-2019-1849");
  script_bugtraq_id(108342);
  script_xref(name:"CISCO-BUG-ID", value:"CSCvk35997");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190515-iosxr-evpn-dos");

  script_name(english:"Cisco IOS XR Software BGP MPLS-Based EVPN Denial of Service Vulnerability (cisco-sa-20190515-iosxr-evpn-dos)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR Software is affected by a vulnerability in the Border Gateway 
Protocol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN) implementation of Cisco IOS XR Software
could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device.
The vulnerability is due to a logic error that occurs when the affected software processes specific EVPN routing
information. An attacker could exploit this vulnerability by injecting malicious traffic patterns into the targeted
EVPN network. A successful exploit could result in a crash of the l2vpn_mgr process on Provider Edge (PE) device members
of the same EVPN instance (EVI). On each of the affected devices, a crash could lead to system instability and the
inability to process or forward traffic through the device, resulting in a DoS condition that would require manual 
intervention to restore normal operating conditions.

Please see the included Cisco BIDs and Cisco Security Advisory for more information");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-iosxr-evpn-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79d65f6d");
  # https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk35997
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f37c1289");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvk35997");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1849");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(754);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_ios_xr_version.nasl");
  script_require_keys("Host/Cisco/IOS-XR/Version");

  exit(0);
}

include('cisco_workarounds.inc');
include('ccf.inc');

product_info = cisco::get_product_info(name:'Cisco IOS XR');

var fix = NULL;
// set the fixed display for version 6.1.x and 6.2.x to 6.5.3 
// since we can't do this by using version_max and fixed_display as we do with vcf.inc
if (product_info['version'] =~ "^6\.[12]\.") fix = '6.5.3';

vuln_ranges =
  [ {'min_ver' : '6.1.0', 'fix_ver' : '6.3.0'},
    {'min_ver' : '6.3.0', 'fix_ver' : '6.3.3'},
    {'min_ver' : '6.4.0', 'fix_ver' : '6.4.2'},
    {'min_ver' : '6.5.0', 'fix_ver' : '6.5.2'},
    {'min_ver' : '6.6.0', 'fix_ver' : '6.6.1'}
  ];

workarounds = make_list(CISCO_WORKAROUNDS['BGP_MPLS-based_EVI']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info['version'],
  'bug_id'   , 'CSCvk35997',
  'fix'      , fix
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_ranges:vuln_ranges
);