CVE-2019-12654

A vulnerability in the common Session Initiation Protocol (SIP) library of Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient sanity checks on an internal data structure. An attacker could exploit this vulnerability by sending a sequence of malicious SIP messages to an affected device. An exploit could allow the attacker to cause a NULL pointer dereference, resulting in a crash of the iosd process. This triggers a reload of the device.

CVSS v3.0 7.5 HIGH
CVSS v2.0 7.8 HIGH

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.8^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:C

Exploitability : 10.0 / Impact : 6.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

References

Link	Resource
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-sip-dos	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:cisco:ios_xe:16.9.1:::::::*
	cpe:2.3:o:cisco:ios_xe:15.6\(1\)s4.2:::::::*
	cpe:2.3:o:cisco:ios_xe:16.3.8:::::::*

OR	cpe:2.3:h:cisco:4431_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4331_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4321_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:asr_1002-x:-:::::::*
	cpe:2.3:h:cisco:4221_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4351_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:4451-x_integrated_services_router:-:::::::*
	cpe:2.3:h:cisco:asr_1002-hx:-:::::::*
	cpe:2.3:h:cisco:isr_1000:-:::::::*
	cpe:2.3:h:cisco:asr_1001-hx:-:::::::*
	cpe:2.3:h:cisco:integrated_services_virtual_router:-:::::::*
	cpe:2.3:h:cisco:asr_1000:-:::::::*
	cpe:2.3:h:cisco:asr_1001-x:-:::::::*
	cpe:2.3:h:cisco:cloud_services_router_1000v:-:::::::*
	cpe:2.3:h:cisco:isr_4000:-:::::::*
	cpe:2.3:h:cisco:1100_integrated_services_router:-:::::::*

Information

Published : 2019-09-25 14:15

Updated : 2019-10-09 16:45

NVD link : CVE-2019-12654

Mitre link : CVE-2019-12654

JSON object : View

CWE

CWE-476

NULL Pointer Dereference

Products Affected

cisco

4351_integrated_services_router
cloud_services_router_1000v
1100_integrated_services_router
asr_1002-hx
asr_1001-hx
4331_integrated_services_router
ios_xe
4321_integrated_services_router
4451-x_integrated_services_router
4221_integrated_services_router
4431_integrated_services_router
asr_1001-x
isr_1000
asr_1000
integrated_services_virtual_router
asr_1002-x
isr_4000

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

7.8 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

JSON object

Attach tags to CVE-2019-12654

7.5^/10

7.8^/10

Attach tags to `CVE-2019-12654`