External risk intelligence

Cisco IOS XE BGP EVPN Vulnerability Leads to Network Instability.

CVE advisoryKnown Exploit

CVE-2017-12319

A vulnerability in Cisco IOS XE Software, when BGP is configured over EVPN, could allow an attacker to cause a denial of service or network instability by corrupting the BGP routing table. This impacts organizations using affected Cisco devices with this specific configuration.

2Halo Surface Signal

Denial of Service

Cisco Ios

15.4\(1\)sbefore 16.3

External exposure likelihood

Halo Surface Signal score for CVE-2017-12319

The vulnerability affects BGP sessions within an EVPN configuration. While BGP is a network protocol, it is typically deployed between trusted peers or across private/dedicated links rather than exposed directly to the public internet. Access requires an established BGP session with the device, which is not a common or intended public-facing deployment pattern.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The described vulnerability affects Cisco IOS XE Software when BGP is configured over an Ethernet Virtual Private Network (EVPN). The flaw allows for improper calculation of an IP address length field in BGP update packets. This can be exploited by a remote attacker sending a crafted BGP packet to an established session.

  • Vulnerable component: Cisco IOS XE Software with BGP EVPN
  • Core weakness: Miscalculated IP address length in BGP packets
  • Main business impact: Network instability or denial of service

Attack Path

How an attacker could exploit the issue

This vulnerability affects Cisco IOS XE Software with BGP EVPN configurations. An attacker can exploit this by sending a specially crafted BGP packet to an established BGP session. Successful exploitation could cause the affected device to reload or corrupt its BGP routing table, leading to network instability or denial of service.

  • Network exposure required.
  • Attacker sends crafted BGP packet.
  • Device reloads or routing table corrupts.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability could permit an attacker to disrupt network operations by causing a device reload or corrupting its routing table. This could lead to a denial of service or network instability, impacting the availability and reliability of connected systems. The vulnerability exists in Cisco IOS XE Software when BGP EVPN is configured, and it is triggered by a crafted BGP packet sent over an established BGP session. Organizations using affected configurations should consider this a significant risk to network stability.

  • Attacker skill: Moderate
  • Access: Established BGP session
  • Business risk: Network instability

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability could allow an attacker to cause a denial of service or instability by corrupting the BGP routing table. It affects Cisco IOS XE Software when BGP EVPN configurations are in use and the device has an established BGP session. The potential impact includes network instability and service disruption.

  • Find affected Cisco IOS XE devices with BGP EVPN.
  • Limit BGP EVPN configurations or isolate vulnerable devices.
  • Apply vendor updates and verify.

Frequently asked questions

What is Cisco IOS XE Software used for?

Cisco IOS XE Software is an operating system used in various Cisco routers and network devices. It powers the routing, switching, and other networking functions that enable data to flow across different networks and the internet.

How does CVE-2017-12319 create a denial of service?

This vulnerability, classified as CWE-20 (Improper Input Validation), arises from a miscalculation in how the software processes certain BGP update packets related to Ethernet VPNs. If an attacker sends a specially crafted packet, it can cause the affected device to reload or corrupt its routing table, disrupting network operations.

What are the preconditions to exploit this BGP vulnerability?

An attacker must first establish a BGP session with the targeted device. Once the session is active, the attacker can then send a crafted BGP packet. This vulnerability is not triggered by simply receiving any BGP message from an unknown source; it requires an existing, established BGP peer relationship.

Who should be concerned about CVE-2017-12319?

Organizations using Cisco IOS XE Software in their network infrastructure should be concerned. While BGP is usually configured between trusted network segments, this vulnerability has an 'Unlikely' Halo Surface Signal because it requires an established BGP session, meaning it's not typically exposed directly to the public internet.

What is the first step for running this technology with CVE-2017-12319?

The primary first step is to consult Cisco's security advisories for specific guidance. This typically involves planning and applying software updates to affected devices to address the vulnerability and restore normal network stability.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified