CVE-2017-12319
Published: 27 March 2018
Summary
CVE-2017-12319 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Cisco Ios. Its CVSS base score is 5.9 (Medium).
Operationally, ranked in the top 20.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability in the Border Gateway Protocol (BGP) over Ethernet Virtual Private Network (EVPN) implementation within Cisco IOS XE Software stems from improper handling of BGP MPLS-Based Ethernet VPN (RFC 7432) updates between software releases. Specifically, the IP address length field can be miscalculated when processing Inclusive Multicast Ethernet Tag Route or EVPN MAC/IP Advertisement Route packets. This affects all IOS XE releases prior to 16.3 that have BGP EVPN configurations enabled; devices without EVPN configuration are not impacted.
An unauthenticated remote attacker who has already established a BGP session with an affected device can send a crafted BGP update packet to trigger the flaw. Successful exploitation may cause the device to reload, producing a denial-of-service condition, or corrupt the BGP routing table, leading to network instability. The attack requires an existing session and does not involve authentication or user interaction.
Cisco Security Advisory cisco-sa-20171103-bgp and associated bug IDs (CSCui67191, CSCvg52875) recommend upgrading to IOS XE release 16.3 or later for affected BGP EVPN deployments. The vulnerability is also tracked in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-3892
Vulnerability details
A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet Virtual Private Network (EVPN) for Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload, resulting in a denial of service (DoS) condition,…
more
or potentially corrupt the BGP routing table, which could result in network instability. The vulnerability exists due to changes in the implementation of the BGP MPLS-Based Ethernet VPN RFC (RFC 7432) draft between IOS XE software releases. When the BGP Inclusive Multicast Ethernet Tag Route or BGP EVPN MAC/IP Advertisement Route update packet is received, it could be possible that the IP address length field is miscalculated. An attacker could exploit this vulnerability by sending a crafted BGP packet to an affected device after the BGP session was established. An exploit could allow the attacker to cause the affected device to reload or corrupt the BGP routing table; either outcome would result in a DoS. The vulnerability may be triggered when the router receives a crafted BGP message from a peer on an existing BGP session. This vulnerability affects all releases of Cisco IOS XE Software prior to software release 16.3 that support BGP EVPN configurations. If the device is not configured for EVPN, it is not vulnerable. Cisco Bug IDs: CSCui67191, CSCvg52875.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor-supplied IOS XE 16.3+ update that eliminates the BGP EVPN packet-handling flaw.
Enforces validation of the IP address length field in BGP Inclusive Multicast and MAC/IP Advertisement routes before processing, blocking the crafted packets that trigger the reload or table corruption.
Disables BGP EVPN configuration on devices that do not require it, eliminating exposure to the vulnerable code path entirely.