CVE-2019-16021 Explained : Impact and Mitigation

Cisco IOS XR Software BGP EVPN Denial of Service Vulnerabilities

Understanding CVE-2019-16021

Multiple vulnerabilities in the implementation of Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

What is CVE-2019-16021?

The vulnerabilities in Cisco IOS XR Software are due to incorrect processing of BGP update messages containing crafted EVPN attributes. An attacker could exploit these by sending BGP EVPN update messages with malformed attributes to an affected system, causing the BGP process to restart unexpectedly, leading to a DoS condition.

The Impact of CVE-2019-16021

CVSS Base Score: 8.6 (High Severity)
Attack Vector: Network
Attack Complexity: Low
Availability Impact: High
Scope: Changed

Technical Details of CVE-2019-16021

Vulnerability Description

The vulnerabilities are caused by incorrect handling of BGP update messages that contain manipulated EVPN attributes, allowing an attacker to trigger a DoS situation.

Affected Systems and Versions

Product: Cisco IOS XR Software
Vendor: Cisco
Affected Version: n/a

Exploitation Mechanism

To exploit these vulnerabilities, the attacker needs to send BGP EVPN update messages with modified attributes to a vulnerable system, potentially causing the BGP process to restart unexpectedly.

Mitigation and Prevention

Immediate Steps to Take

Implement filters to block BGP traffic from unauthorized sources.
Apply the necessary security patches provided by Cisco.

Long-Term Security Practices

Regularly monitor and update BGP configurations.
Conduct security assessments to identify and mitigate potential vulnerabilities.

Patching and Updates

Ensure timely installation of security patches released by Cisco to address the identified vulnerabilities.