Multiple products such as Cisco, Digi, HP and such other were reported to be vulnerable to IP-in-IP packet processing vulnerability. CVE-2020-10136 and CWE-19 were assigned to the said vulnerability. Here we’ll share some information about the same for Cisco NX-OS devices.
An authentication is primary requirement to access this vulnerability. An unauthenticated attacker can route arbitrary network traffic through a vulnerable device, leading to information disclosure, reflective DDoS as well as bypassing network access controls.
POC originally written by Yannay Livneh is available in the CERT/CC Github repository. Researcher have two scenarios namely, Spoof mode and Bypass mode to exploit packet processing.
The affected devices can be exploited using a crafted packet, due to which it will unexpectedly decapsulate and process IP in IP packet that are supposed to be for a local IP address. This will eventually lead to forwarding of inner IP packet which in turn causes bypass of input Access Control Lists, that also carry information of the network as well. Affected devices might crash and leads to DOS condition.
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
Cisco has updated the patch and released for CVE-2020-10136.
Users can block IP-in-IP packets by filtering IP protocol number 4.
Note: This filtering is for the IPv4 Protocol (or IPv6 Next Header) field value of 4 and not IP protocol version 4 (IPv4).
Qualys customers can scan their network with QID(s)# 316622 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources: