CVE-2019-1686

Name of the Vulnerable Software and Affected Versions Cisco IOS XR Software versions 5.1.1 through 6.5.1 Cisco IOS XR Software versions 6.6.0

Description A vulnerability in the TCP flags inspection feature for access control lists (ACLs) on Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device. The vulnerability is due to incorrect processing of the ACL applied to an interface of an affected device when Cisco Express Forwarding load balancing using the 3-tuple hash algorithm is enabled. An attacker could exploit this vulnerability by sending traffic through an affected device that should otherwise be denied by the configured ACL. An exploit could allow the attacker to bypass protection offered by a configured ACL on the affected device.

Recommendations For Cisco IOS XR Software versions 5.1.1 through 6.5.1, update to version 6.5.2 or later. For Cisco IOS XR Software version 6.6.0, update to version 6.6.1 or later. As a temporary workaround, consider disabling Cisco Express Forwarding load balancing using the 3-tuple hash algorithm until a patch is available.