CVE-2020-3479

Published: Sep 24, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A vulnerability in the implementation of Multiprotocol Border Gateway Protocol (MP-BGP) for the Layer 2 VPN (L2VPN) Ethernet VPN (EVPN) address family in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of Border Gateway Protocol (BGP) update messages that contain crafted EVPN attributes. An attacker could exploit this vulnerability by sending BGP update messages with specific, malformed attributes to an affected device. A successful exploit could allow the attacker to cause an affected device to crash, resulting in a DoS condition.

Affected (2)

Products: Cisco: Ios, Ios Xe

Cisco

2 products

Ios

Ios Xe

Configuration A

2 vulnerable · 24 platform

Vulnerable Software	Affected Versions
Cisco Ios	All versions
Cisco Ios Xe	All versions

Running on/with	Platform Versions
Cisco 1100 Integrated Services Router	All versions
Cisco 1101 Integrated Services Router	All versions
Cisco 1109 Integrated Services Router	All versions
Cisco 1111x Integrated Services Router	All versions
Cisco 111x Integrated Services Router	All versions
Cisco 1120 Integrated Services Router	All versions
Cisco 1160 Integrated Services Router	All versions
Cisco 4221 Integrated Services Router	All versions
Cisco 4321 Integrated Services Router	All versions
Cisco 4331 Integrated Services Router	All versions
Cisco 4351 Integrated Services Router	All versions
Cisco 4431 Integrated Services Router	All versions
Cisco 4451 X Integrated Services Router	All versions
Cisco 4461 Integrated Services Router	All versions
Cisco Asr 1001 Hx	All versions
Cisco Asr 1001 X	All versions
Cisco Asr 1002 Hx	All versions
Cisco Asr 1002 X	All versions
Cisco Asr 1004	All versions
Cisco Asr 1006	All versions
Cisco Asr 1006 X	All versions
Cisco Asr 1009 X	All versions
Cisco Asr 1013	All versions
Cisco Cloud Services Router 1000v	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (2)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-bgp-evpn-dos-LNfYJxfF

Source: psirt@cisco.com

Vendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-bgp-evpn-dos-LNfYJxfF

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.