Vulnslist

find the latest Cisco vulnerabilities

Cisco ASR 9000 Series Aggregation Services Routers ACL Bypass Vulnerability

cisco-sa-20190417-iosxracl · Medium · Published · Updated

A vulnerability in the TCP flags inspection feature for access control lists (ACLs) on Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device. The vulnerability is due to incorrect processing of the ACL applied to an interface of an affected device when Cisco Express Forwarding load balancing using the 3-tuple hash algorithm is enabled. An attacker could exploit this vulnerability by sending traffic through an affected device that should otherwise be denied by the configured ACL. An exploit could allow the attacker to bypass protection offered by a configured ACL on the affected device. There are workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-iosxracl

Cisco advisory ·CSAF JSON

Workarounds

If the 5-tuple hash algorithm is used for load balancing, the device is not affected by the vulnerability described in this advisory.

If the 3-tuple hash algorithm is required, enabling ACL compression for the ACL on the interface is a workaround for this vulnerability.

CVEsCVE-2019-1686
Cisco Bug IDsCSCvm01102
CVSS ScoreBase 5.8
Base 5.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Product Names From Source
Cisco IOS XR Software, Cisco ASR 9000 Series Aggregation Services Routers

Related Products

Product CVE Evidence
Cisco RV Series Routers CVE-2019-1686 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2019-1686 Cisco OpenVuln
Cisco IOS Software CVE-2019-1686 Cisco OpenVuln
Cisco ASR 900 Series Aggregation Services Routers CVE-2019-1686 Cisco OpenVuln
Cisco AGS+ Routers CVE-2019-1686 Cisco OpenVuln
Cisco IOS XR Software CVE-2019-1686 Cisco OpenVuln
Cisco IOS CVE-2019-1686 Cisco OpenVuln
Cisco ASR 9000 Series Aggregation Services Routers CVE-2019-1686 Cisco OpenVuln