CVE-2022-20758

Cisco IOS XR Software Border Gateway Protocol Ethernet VPN Denial of Service Vulnerability

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability in the implementation of the Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to the incorrect processing of a BGP update message that contains specific EVPN attributes. An attacker could exploit this vulnerability by sending a BGP update message that contains specific EVPN attributes. To exploit this vulnerability, an attacker must control a BGP speaker that has an established trusted peer connection to an affected device that is configured with the address family L2VPN EVPN to receive and process the update message. This vulnerability cannot be exploited by any data that is initiated by clients on the Layer 2 network or by peers that are not configured to accept the L2VPN EVPN address family. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP updates only from explicitly defined peers. For this vulnerability to be exploited, the malicious BGP update message must either come from a configured, valid BGP peer or be injected by the attacker into the affected BGP network on an existing, valid TCP connection to a BGP peer.

Una vulnerabilidad en la implementación de la funcionalidad Ethernet VPN (EVPN) del Protocolo de Pasarela de Frontera (BGP) en el software Cisco IOS XR podría permitir a un atacante remoto no autenticado causar una condición de denegación de servicio (DoS). Esta vulnerabilidad es debido a un procesamiento incorrecto de un mensaje de actualización de BGP que contiene atributos específicos de EVPN. Un atacante podría explotar esta vulnerabilidad mediante el envío de un mensaje de actualización BGP que contenga atributos EVPN específicos. Para aprovechar esta vulnerabilidad, un atacante debe controlar un altavoz BGP que tenga una conexión peer confiable establecida con un dispositivo afectado que esté configurado con la familia de direcciones L2VPN EVPN para recibir y procesar el mensaje de actualización. Esta vulnerabilidad no puede ser explotada por ningún dato que sea iniciado por clientes en la red de capa 2 o por pares que no estén configurados para aceptar la familia de direcciones L2VPN EVPN. Una explotación con éxito podría permitir al atacante causar que el proceso BGP sea reiniciado inesperadamente, resultando en una condición de DoS. La implementación de Cisco de BGP acepta las actualizaciones entrantes de BGP sólo de los pares definidos explícitamente. Para que esta vulnerabilidad pueda ser explotada, el mensaje de actualización BGP malicioso debe provenir de un peer BGP configurado y válido o ser inyectado por el atacante en la red BGP afectada en una conexión TCP existente y válida a un peer BGP

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-02 CVE Reserved
2022-04-15 CVE Published
2023-11-06 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-399: Resource Management Errors

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Cisco Search vendor "Cisco"		Ios Xr Search vendor "Cisco" for product "Ios Xr"				< 6.8.2 Search vendor "Cisco" for product "Ios Xr" and version " < 6.8.2"		-		Affected
Cisco Search vendor "Cisco"		Ios Xr Search vendor "Cisco" for product "Ios Xr"				>= 7.0 < 7.3.2 Search vendor "Cisco" for product "Ios Xr" and version " >= 7.0 < 7.3.2"		-		Affected
Cisco Search vendor "Cisco"		Ios Xr Search vendor "Cisco" for product "Ios Xr"				>= 7.4 < 7.4.2 Search vendor "Cisco" for product "Ios Xr" and version " >= 7.4 < 7.4.2"		-		Affected