7.4

CVE-2019-16018

A vulnerability in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of a BGP update message that contains crafted EVPN attributes. An attacker could indirectly exploit the vulnerability by sending BGP EVPN update messages with a specific, malformed attribute to an affected system and waiting for a user on the device to display the EVPN operational routes’ status. If successful, the attacker could cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic only from explicitly defined peers. To exploit this vulnerability, the malicious BGP update message would need to come from a configured, valid BGP peer, or would need to be injected by the attacker into the victim's BGP network on an existing, valid TCP connection to a BGP peer.

Data is provided by the National Vulnerability Database (NVD)
CiscoIos Xr Version6.6.1
   CiscoAsr 9000v Version- HwPlatformx64
   CiscoAsr 9001 Version- HwPlatformx64
   CiscoAsr 9006 Version- HwPlatformx64
   CiscoAsr 9010 Version- HwPlatformx64
   CiscoAsr 9901 Version- HwPlatformx64
   CiscoAsr 9904 Version- HwPlatformx64
   CiscoAsr 9906 Version- HwPlatformx64
   CiscoAsr 9910 Version- HwPlatformx64
   CiscoAsr 9912 Version- HwPlatformx64
   CiscoAsr 9922 Version- HwPlatformx64
   CiscoNcs 540 Version-
   CiscoNcs 5501 Version-
   CiscoNcs 5501-se Version-
   CiscoNcs 5502 Version-
   CiscoNcs 5502-se Version-
   CiscoNcs 5508 Version-
   CiscoNcs 5516 Version-
   CiscoNcs 6000 Version-
CiscoIos Xr Version6.6.2
   CiscoAsr 9000v Version-
   CiscoAsr 9000v Version- HwPlatformx64
   CiscoAsr 9001 Version-
   CiscoAsr 9001 Version- HwPlatformx64
   CiscoAsr 9006 Version-
   CiscoAsr 9006 Version- HwPlatformx64
   CiscoAsr 9010 Version-
   CiscoAsr 9010 Version- HwPlatformx64
   CiscoAsr 9901 Version-
   CiscoAsr 9901 Version- HwPlatformx64
   CiscoAsr 9904 Version-
   CiscoAsr 9904 Version- HwPlatformx64
   CiscoAsr 9906 Version-
   CiscoAsr 9906 Version- HwPlatformx64
   CiscoAsr 9910 Version-
   CiscoAsr 9910 Version- HwPlatformx64
   CiscoAsr 9912 Version-
   CiscoAsr 9912 Version- HwPlatformx64
   CiscoAsr 9922 Version-
   CiscoAsr 9922 Version- HwPlatformx64
   CiscoCrs Version-
   CiscoNcs 5501 Version-
   CiscoNcs 5501-se Version-
   CiscoNcs 5502 Version-
   CiscoNcs 5502-se Version-
   CiscoNcs 5508 Version-
   CiscoNcs 5516 Version-
   CiscoXrv 9000 Version-
CiscoIos Xr Version6.6.25
   CiscoNcs 540 Version-
   CiscoNcs 540l Version-
   CiscoNcs 5501 Version-
   CiscoNcs 5501-se Version-
   CiscoNcs 5502 Version-
   CiscoNcs 5502-se Version-
   CiscoNcs 5508 Version-
   CiscoNcs 5516 Version-
   CiscoNcs 560 Version-
   CiscoNcs 6000 Version-
CiscoIos Xr Version7.0.1
   CiscoAsr 9000v Version- HwPlatformx64
   CiscoAsr 9001 Version- HwPlatformx64
   CiscoAsr 9006 Version- HwPlatformx64
   CiscoAsr 9010 Version- HwPlatformx64
   CiscoAsr 9901 Version- HwPlatformx64
   CiscoAsr 9904 Version- HwPlatformx64
   CiscoAsr 9906 Version- HwPlatformx64
   CiscoAsr 9910 Version- HwPlatformx64
   CiscoAsr 9912 Version- HwPlatformx64
   CiscoAsr 9922 Version- HwPlatformx64
   CiscoNcs 1001 Version-
   CiscoNcs 1002 Version-
   CiscoNcs 1004 Version-
   CiscoNcs 5001 Version-
   CiscoNcs 5002 Version-
   CiscoNcs 540 Version-
   CiscoNcs 540l Version-
   CiscoNcs 5501 Version-
   CiscoNcs 5501-se Version-
   CiscoNcs 5502 Version-
   CiscoNcs 5502-se Version-
   CiscoNcs 5508 Version-
   CiscoNcs 5516 Version-
   CiscoNcs 560 Version-
   CiscoNcs 6000 Version-
   CiscoXrv 9000 Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.92% 0.826
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:N/A:P
psirt@cisco.com 7.4 2.8 4
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.