Cisco IOS MPLS VPN May Leak Information - Cisco Systems

This script is (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote device is missing a vendor-supplied security patch.

Description :

Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and
configured for Multiprotocol Label Switching (MPLS) Virtual Private
Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using
Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider
Edge (PE) devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended
communities on the PE device.
This issue cannot be deterministically exploited by an attacker.

Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate these vulnerabilities are
available.

See also :

http://www.nessus.org/u?657e8bd5
http://www.nessus.org/u?25da1014

Solution :

Apply the relevant patch referenced in Cisco Security Advisory
cisco-sa-20080924-vpn.

Risk factor :

Medium / CVSS Base Score : 5.1
(CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 4.2
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CISCO

Nessus Plugin ID: 49028 (cisco-sa-20080924-vpnhttp.nasl)

Bugtraq ID: 31366

CVE ID: CVE-2008-3803