CVE-2019-1849
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/05/2019
Last modified:
09/10/2019
Description
A vulnerability in the Border Gateway Patrol (BGP) Multiprotocol Label Switching (MPLS)-based Ethernet VPN (EVPN) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a denial of service (DoS) condition on an affected device. The vulnerability is due to a logic error that occurs when the affected software processes specific EVPN routing information. An attacker could exploit this vulnerability by injecting malicious traffic patterns into the targeted EVPN network. A successful exploit could result in a crash of the l2vpn_mgr process on Provider Edge (PE) device members of the same EVPN instance (EVI). On each of the affected devices, a crash could lead to system instability and the inability to process or forward traffic through the device, resulting in a DoS condition that would require manual intervention to restore normal operating conditions.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Base Score 2.0
6.10
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:* | 6.1.0 (including) | 6.3.3 (excluding) |
| cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:* | 6.4.0 (including) | 6.4.2 (excluding) |
| cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:* | 6.5.0 (including) | 6.5.2 (excluding) |
| cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:* | 6.6.0 (including) | 6.6.1 (excluding) |
To consult the complete list of CPE names with products and versions, see this page