Executive Summary
| Summary | |
|---|---|
| Title | Cisco IOS MPLS VPN May Leak Information |
| Informations | |||
|---|---|---|---|
| Name | cisco-sa-20080924-vpn | First vendor Publication | 2008-07-11 |
| Vendor | Cisco | Last vendor Modification | 2008-09-24 |
| Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 5.1 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | High |
| Cvss Expoit Score | 4.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs. Workarounds are available to help mitigate this vulnerability. This issue is triggered by a logic error when processing extended communities on the PE device. This issue cannot be deterministically exploited by an attacker. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. |
Original Source
| Url : http://www.cisco.com/en/US/products/products_security_advisory09186a0080a0 (...) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:5919 | |||
| Oval ID: | oval:org.mitre.oval:def:5919 | ||
| Title: | Cisco IOS MPLS VPN May Leak Information Vulnerability | ||
| Description: | A "logic error" in Cisco IOS 12.0 through 12.4, when a Multiprotocol Label Switching (MPLS) VPN with extended communities is configured, sometimes causes a corrupted route target (RT) to be used, which allows remote attackers to read traffic from other VPNs in opportunistic circumstances. | ||
| Family: | ios | Class: | vulnerability |
| Reference(s): | CVE-2008-3803 | Version: | 1 |
| Platform(s): | Cisco IOS | Product(s): | |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Os | 3 |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 48742 | Cisco IOS MPLS Extended Community Cross VPN Information Disclosure |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-09-01 | Name : The remote device is missing a vendor-supplied security patch. File : cisco-sa-20080924-vpnhttp.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 10:21:54 |
|
