Cyber Resilience

CVE-2017-12319

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 27 March 2018

Published
27 March 2018
Modified
12 January 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0127 79.9th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-12319 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Cisco Ios. Its CVSS base score is 5.9 (Medium).

Operationally, ranked in the top 20.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability in the Border Gateway Protocol (BGP) over Ethernet Virtual Private Network (EVPN) implementation within Cisco IOS XE Software stems from improper handling of BGP MPLS-Based Ethernet VPN (RFC 7432) updates between software releases. Specifically, the IP address length field can be miscalculated when processing Inclusive Multicast Ethernet Tag Route or EVPN MAC/IP Advertisement Route packets. This affects all IOS XE releases prior to 16.3 that have BGP EVPN configurations enabled; devices without EVPN configuration are not impacted.

An unauthenticated remote attacker who has already established a BGP session with an affected device can send a crafted BGP update packet to trigger the flaw. Successful exploitation may cause the device to reload, producing a denial-of-service condition, or corrupt the BGP routing table, leading to network instability. The attack requires an existing session and does not involve authentication or user interaction.

Cisco Security Advisory cisco-sa-20171103-bgp and associated bug IDs (CSCui67191, CSCvg52875) recommend upgrading to IOS XE release 16.3 or later for affected BGP EVPN deployments. The vulnerability is also tracked in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet Virtual Private Network (EVPN) for Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the device to reload, resulting in a denial of service (DoS) condition,…

more

or potentially corrupt the BGP routing table, which could result in network instability. The vulnerability exists due to changes in the implementation of the BGP MPLS-Based Ethernet VPN RFC (RFC 7432) draft between IOS XE software releases. When the BGP Inclusive Multicast Ethernet Tag Route or BGP EVPN MAC/IP Advertisement Route update packet is received, it could be possible that the IP address length field is miscalculated. An attacker could exploit this vulnerability by sending a crafted BGP packet to an affected device after the BGP session was established. An exploit could allow the attacker to cause the affected device to reload or corrupt the BGP routing table; either outcome would result in a DoS. The vulnerability may be triggered when the router receives a crafted BGP message from a peer on an existing BGP session. This vulnerability affects all releases of Cisco IOS XE Software prior to software release 16.3 that support BGP EVPN configurations. If the device is not configured for EVPN, it is not vulnerable. Cisco Bug IDs: CSCui67191, CSCvg52875.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
ios
15.4\(1\)s
cisco
ios xe
≤ 16.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor-supplied IOS XE 16.3+ update that eliminates the BGP EVPN packet-handling flaw.

prevent

Enforces validation of the IP address length field in BGP Inclusive Multicast and MAC/IP Advertisement routes before processing, blocking the crafted packets that trigger the reload or table corruption.

prevent

Disables BGP EVPN configuration on devices that do not require it, eliminating exposure to the vulnerable code path entirely.

References