CVE-2019-15989

Name of the Vulnerable Software and Affected Versions Cisco IOS XR Software (affected versions not specified)

Description A vulnerability in the implementation of the Border Gateway Protocol (BGP) functionality could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to incorrect processing of a BGP update message that contains a specific BGP attribute. An attacker could exploit this vulnerability by sending BGP update messages that include a specific, malformed attribute to be processed by an affected system. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP traffic only from explicitly defined peers. To exploit this vulnerability, the malicious BGP update message would need to come from a configured, valid BGP peer or would need to be injected by the attacker into the victim’s BGP network on an existing, valid TCP connection to a BGP peer.

Recommendations Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. As a temporary workaround, consider restricting access to the BGP protocol to minimize the risk of exploitation. Avoid using the BGP update message with the specific, malformed attribute in the affected system until the issue is resolved. Update to the latest software version to resolve the issue.