DoS via crafted XML on Cisco IOS XR XML Agent (port 38751)
CVE-2024-20390 Published on September 11, 2024
Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability
A vulnerability in the Dedicated XML Agent feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on XML TCP listen port 38751.
This vulnerability is due to a lack of proper error validation of ingress XML packets. An attacker could exploit this vulnerability by sending a sustained, crafted stream of XML traffic to a targeted device. A successful exploit could allow the attacker to cause XML TCP port 38751 to become unreachable while the attack traffic persists.
Vulnerability Analysis
CVE-2024-20390 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Improper Verification of Source of a Communication Channel
The software establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. When an attacker can successfully establish a communication channel from an untrusted origin, the attacker may be able to gain privileges and access unexpected functionality.
Products Associated with CVE-2024-20390
Want to know whenever a new CVE is published for Cisco Ios Xr? stack.watch will email you.
Affected Versions
Cisco IOS XR Software:- Version 6.5.3 is affected.
- Version 6.5.29 is affected.
- Version 6.5.1 is affected.
- Version 6.6.1 is affected.
- Version 6.5.2 is affected.
- Version 6.5.92 is affected.
- Version 6.5.15 is affected.
- Version 6.6.2 is affected.
- Version 7.0.1 is affected.
- Version 6.6.25 is affected.
- Version 6.5.26 is affected.
- Version 6.6.11 is affected.
- Version 6.5.25 is affected.
- Version 6.5.28 is affected.
- Version 6.5.93 is affected.
- Version 6.6.12 is affected.
- Version 6.5.90 is affected.
- Version 7.0.0 is affected.
- Version 7.1.1 is affected.
- Version 7.0.90 is affected.
- Version 6.6.3 is affected.
- Version 6.7.1 is affected.
- Version 7.0.2 is affected.
- Version 7.1.15 is affected.
- Version 7.2.0 is affected.
- Version 7.2.1 is affected.
- Version 7.1.2 is affected.
- Version 6.7.2 is affected.
- Version 7.0.11 is affected.
- Version 7.0.12 is affected.
- Version 7.0.14 is affected.
- Version 7.1.25 is affected.
- Version 6.6.4 is affected.
- Version 7.2.12 is affected.
- Version 7.3.1 is affected.
- Version 7.1.3 is affected.
- Version 6.7.3 is affected.
- Version 7.4.1 is affected.
- Version 7.2.2 is affected.
- Version 6.7.4 is affected.
- Version 6.5.31 is affected.
- Version 7.3.15 is affected.
- Version 7.3.16 is affected.
- Version 6.8.1 is affected.
- Version 7.4.15 is affected.
- Version 6.5.32 is affected.
- Version 7.3.2 is affected.
- Version 7.5.1 is affected.
- Version 7.4.16 is affected.
- Version 7.3.27 is affected.
- Version 7.6.1 is affected.
- Version 7.5.2 is affected.
- Version 7.8.1 is affected.
- Version 7.6.15 is affected.
- Version 7.5.12 is affected.
- Version 7.8.12 is affected.
- Version 7.3.3 is affected.
- Version 7.7.1 is affected.
- Version 6.8.2 is affected.
- Version 7.3.4 is affected.
- Version 7.4.2 is affected.
- Version 6.7.35 is affected.
- Version 6.9.1 is affected.
- Version 7.6.2 is affected.
- Version 7.5.3 is affected.
- Version 7.7.2 is affected.
- Version 6.9.2 is affected.
- Version 7.9.1 is affected.
- Version 7.10.1 is affected.
- Version 7.8.2 is affected.
- Version 7.5.4 is affected.
- Version 6.5.33 is affected.
- Version 7.8.22 is affected.
- Version 7.7.21 is affected.
- Version 7.9.2 is affected.
- Version 7.3.5 is affected.
- Version 7.5.5 is affected.
- Version 7.11.1 is affected.
- Version 7.9.21 is affected.
- Version 7.10.2 is affected.
- Version 24.1.1 is affected.
- Version 7.6.3 is affected.
- Version 7.3.6 is affected.
- Version 7.5.52 is affected.
- Version 7.11.2 is affected.
- Version 24.2.1 is affected.
- Version 6.5.3, <= 7.11.2 is affected.
- Version 24.2.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.