CVE-2019-1749
HIGHCisco IOS XE for ASR 900 RSP3 - Unauthenticated Denial of Service via Malformed OSPFv2 Message
Title source: llmDescription
A vulnerability in the ingress traffic validation of Cisco IOS XE Software for Cisco Aggregation Services Router (ASR) 900 Route Switch Processor 3 (RSP3) could allow an unauthenticated, adjacent attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability exists because the software insufficiently validates ingress traffic on the ASIC used on the RSP3 platform. An attacker could exploit this vulnerability by sending a malformed OSPF version 2 (OSPFv2) message to an affected device. A successful exploit could allow the attacker to cause a reload of the iosd process, triggering a reload of the affected device and resulting in a DoS condition.
References (2)
Core 2
Core References
Patch, Vendor Advisory vendor-advisory
x_refsource_cisco
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190327-rsp3-ospf
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/107615
Scores
CVSS v3
7.4
EPSS
0.0060
EPSS Percentile
44.6%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (48)
cisco/ios_xe
3.13.6as
cisco/ios_xe
3.16.0as
cisco/ios_xe
3.16.1as
cisco/ios_xe
3.16.2as
cisco/ios_xe
3.16.3as
cisco/ios_xe
3.16.4bs
cisco/ios_xe
3.16.4cs
cisco/ios_xe
3.16.4ds
cisco/ios_xe
3.16.4es
cisco/ios_xe
3.16.4gs
... and 38 more
Published
Mar 28, 2019
Tracked Since
Feb 18, 2026