CVE-2019-12656 : A vulnerability in the IOx application environment of multiple Cisco platforms c

A vulnerability in the IOx application environment of multiple Cisco platforms could allow an unauthenticated, remote attacker to cause the IOx web server to stop processing HTTPS requests, resulting in a denial of service (DoS) condition. The vulnerability is due to a Transport Layer Security (TLS) implementation issue. An attacker could exploit this vulnerability by sending crafted TLS packets to the IOx web server on an affected device. A successful exploit could allow the attacker to cause the IOx web server to stop processing HTTPS requests, resulting in a DoS condition.

Published 2019-09-25 21:15:11

Updated 2020-10-08 14:07:20

Source Cisco Systems, Inc.

View at NVD, CVE.org

Vulnerability category: Input validationDenial of service

Products affected by CVE-2019-12656

Cisco » IOS » Version: 1.8.0
cpe:2.3:o:cisco:ios:1.8.0:*:*:*:*:*:*:*
Matching versions
Cisco » IOS » Version: 1.6.0.0
cpe:2.3:o:cisco:ios:1.6.0.0:*:*:*:*:*:*:*
Matching versions
Cisco » Industrial Ethernet 2000 Series Firmware » Version: 15.2(6)e
cpe:2.3:o:cisco:industrial_ethernet_2000_series_firmware:15.2\(6\)e:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Ie 2000-16ptc-g » Version: N/A
When used together with: Cisco » Ie 2000-16t67 » Version: N/A
When used together with: Cisco » Ie 2000-16t67p » Version: N/A
When used together with: Cisco » Ie 2000-16tc » Version: N/A
When used together with: Cisco » Ie 2000-16tc-g » Version: N/A
When used together with: Cisco » Ie 2000-16tc-g-e » Version: N/A
When used together with: Cisco » Ie 2000-16tc-g-n » Version: N/A
When used together with: Cisco » Ie 2000-16tc-g-x » Version: N/A
When used together with: Cisco » Ie 2000-24t67 » Version: N/A
When used together with: Cisco » Ie 2000-4s-ts-g » Version: N/A
When used together with: Cisco » Ie 2000-4t » Version: N/A
When used together with: Cisco » Ie 2000-4t-g » Version: N/A
When used together with: Cisco » Ie 2000-4ts » Version: N/A
When used together with: Cisco » Ie 2000-4ts-g » Version: N/A
When used together with: Cisco » Ie 2000-8t67 » Version: N/A
When used together with: Cisco » Ie 2000-8t67p » Version: N/A
When used together with: Cisco » Ie 2000-8tc » Version: N/A
When used together with: Cisco » Ie 2000-8tc-g » Version: N/A
When used together with: Cisco » Ie 2000-8tc-g-e » Version: N/A
When used together with: Cisco » Ie 2000-8tc-g-n » Version: N/A
Cisco » Ic3000 Firmware » Version: N/A
cpe:2.3:o:cisco:ic3000_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Ic3000 » Version: N/A
Cisco » Ie 4000 Firmware » Version: N/A
cpe:2.3:o:cisco:ie_4000_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Ie 4000 » Version: N/A
Cisco » Cgr 1000 Firmware » Version: N/A
cpe:2.3:o:cisco:cgr_1000_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Cgr 1000 » Version: N/A
Cisco » Ir510 Wpan Firmware » Version: N/A
cpe:2.3:o:cisco:ir510_wpan_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Ir510 Wpan » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2019-12656

EPSS FAQ

1.47%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 79 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-12656

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	Cisco Systems, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-12656

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: ykramarz@cisco.com (Secondary)

References for CVE-2019-12656

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-iox

Cisco IOx Application Environment Denial of Service Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-12656

Products affected by CVE-2019-12656

Exploit prediction scoring system (EPSS) score for CVE-2019-12656

CVSS scores for CVE-2019-12656

CWE ids for CVE-2019-12656

References for CVE-2019-12656