CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS
Percentile
27.1%
According to its self-reported version, Cisco IOS XR Software is affected by a vulnerability in the Border Gateway Protocol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device.
The vulnerability is due to a logic error that occurs when the affected software processes specific EVPN routing information. An attacker could exploit this vulnerability by injecting malicious traffic patterns into the targeted EVPN network. A successful exploit could result in a crash of the l2vpn_mgr process on Provider Edge (PE) device members of the same EVPN instance (EVI). On each of the affected devices, a crash could lead to system instability and the inability to process or forward traffic through the device, resulting in a DoS condition that would require manual intervention to restore normal operating conditions.
Please see the included Cisco BIDs and Cisco Security Advisory for more information
#TRUSTED 48794d48ec5aae797c99786a6482d415c50ed50f79dd312fc284e1644206a43b3a3044b69b12bbcb3ca34933d2dc31cec0c04fff0636ead7c09f8f6185aa3e8284ec8a76888202d129d4a1e6ef42da692324aca712a62492d7b5e7acea3524aa2a31d33c03f6fabd009d0c41977581d4b322aca48b78f678bf7e9eb615f211be2f8943dc9cde7422873c83321fc8977b1d97e5ed9db92672d2b9ec76b2d55b3e0774bd7cb18a5981889199720d58b50f832b8200c0be970959012ea4028c962884442e8d48ef4bd992b2f1e7fadf62f017240684543d5ac846f166bfa99dbc9608f931e3b4f0bd8540c7c3ac6c84a29adbc4b74bcc1f8c080043bf5ac92f5e64fce549a454c946c174a5fe7874dec411f807b487eb38e8c5366be3b26962fe82b1f87110d16629319d7be60e7fc1a118eb70eba1c4546c7dddd01612b52e5be8eda7d4ed3d467475c2d003246a6aa32006db3cdcb7cc6120027a7c0e5175f40236174d010a7612d6e0d264c36fc0d4ab4a672b7c497de08ee525d95865d6e32715f11f8e736da21b3121e9f0b8cbc9b40b3a31378bf72a7944416d63ec62329df03bbb3c51d80e45ea7dcf5250cfdcb7181ea77a2c7cb4aa8598b7e2052d1c020b84d072681b9f852e48a75775cd75f13a84f6751717545a4716bacbe04cfe77760f249548491f5321fcb6576bbeefca737aa9d247e13cb40b1792494426a103
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(133726);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/05/07");
script_cve_id("CVE-2019-1849");
script_bugtraq_id(108342);
script_xref(name:"CISCO-BUG-ID", value:"CSCvk35997");
script_xref(name:"CISCO-SA", value:"cisco-sa-20190515-iosxr-evpn-dos");
script_name(english:"Cisco IOS XR Software BGP MPLS-Based EVPN Denial of Service Vulnerability (cisco-sa-20190515-iosxr-evpn-dos)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco IOS XR Software is affected by a vulnerability in the Border Gateway
Protocol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN) implementation of Cisco IOS XR Software
could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device.
The vulnerability is due to a logic error that occurs when the affected software processes specific EVPN routing
information. An attacker could exploit this vulnerability by injecting malicious traffic patterns into the targeted
EVPN network. A successful exploit could result in a crash of the l2vpn_mgr process on Provider Edge (PE) device members
of the same EVPN instance (EVI). On each of the affected devices, a crash could lead to system instability and the
inability to process or forward traffic through the device, resulting in a DoS condition that would require manual
intervention to restore normal operating conditions.
Please see the included Cisco BIDs and Cisco Security Advisory for more information");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-iosxr-evpn-dos
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?79d65f6d");
# https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvk35997
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f37c1289");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvk35997");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1849");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_cwe_id(754);
script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/16");
script_set_attribute(attribute:"patch_publication_date", value:"2019/05/15");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/18");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:ios_xr");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CISCO");
script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("cisco_ios_xr_version.nasl");
script_require_keys("Host/Cisco/IOS-XR/Version");
exit(0);
}
include('cisco_workarounds.inc');
include('ccf.inc');
product_info = cisco::get_product_info(name:'Cisco IOS XR');
var fix = NULL;
// set the fixed display for version 6.1.x and 6.2.x to 6.5.3
// since we can't do this by using version_max and fixed_display as we do with vcf.inc
if (product_info['version'] =~ "^6\.[12]\.")
fix = '6.5.3';
vuln_ranges = [
{'min_ver' : '6.1.0', 'fix_ver' : '6.3.0'},
{'min_ver' : '6.3.0', 'fix_ver' : '6.3.3'},
{'min_ver' : '6.4.0', 'fix_ver' : '6.4.2'},
{'min_ver' : '6.5.0', 'fix_ver' : '6.5.2'},
{'min_ver' : '6.6.0', 'fix_ver' : '6.6.1'}
];
workarounds = make_list(CISCO_WORKAROUNDS['generic_workaround']);
workaround_params = WORKAROUND_CONFIG['BGP_MPLS-based_EVI'];
reporting = make_array(
'port' , product_info['port'],
'severity' , SECURITY_WARNING,
'version' , product_info['version'],
'bug_id' , 'CSCvk35997',
'fix' , fix
);
cisco::check_and_report(
product_info:product_info,
workarounds:workarounds,
workaround_params:workaround_params,
reporting:reporting,
vuln_ranges:vuln_ranges
);
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:A/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS
Percentile
27.1%