⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2009-2055Improper Input Validation in Cisco IOS XR

CWE-20Improper Input ValidationCWE-3997 documents7 sources
Severity
5.9MEDIUMNVD
EPSS
0.4%
top 38.69%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Cisco IOS XR
Timeline
PublishedAug 19
KEV addedMar 25
KEV dueApr 15
Latest updateMay 2
CISA Required Action: Apply updates per vendor instructions.

Description

Cisco IOS XR 3.4.0 through 3.8.1 allows remote attackers to cause a denial of service (session reset) via a BGP UPDATE message with an invalid attribute, as demonstrated in the wild on 17 August 2009.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages1 packages

NVDcisco/ios_xr19 versions+18

Patches

Patch: www.cisco.comPatch: www.cisco.com

🔴Vulnerability Details

3
GHSA
GHSA-2j56-f322-jxrm: Cisco IOS XR 32022-05-02
CVEList
CVE-2009-2055: Cisco IOS XR 32009-08-19
VulnCheck
Cisco IOS XR Border Gateway Protocol (BGP) Denial-of-Service Vulnerability2009

📋Vendor Advisories

2
CISA
Cisco IOS XR Border Gateway Protocol (BGP) Denial-of-Service Vulnerability2022-03-25
Cisco
Cisco IOS XR Software Border Gateway Protocol Vulnerabilities2009-08-18

💬Community

1
Bugzilla
CVE-2010-2055 CVE-2009-3743 ghostscript various flaws [fedora-all]2011-11-22
CVE-2009-2055 — Improper Input Validation in Cisco | cvebase