Cisco NX-OS IP-in-IP Information Disclosure vulnerability (CVE-2020-10136)

Posted by Author Dhiren Vaghela on Posted on

Summary:

Multiple products such as Cisco, Digi, HP and such other were reported to be vulnerable to IP-in-IP packet processing vulnerability. CVE-2020-10136 and CWE-19 were assigned to the said vulnerability. Here we’ll share some information about the same for Cisco NX-OS devices.

Description:

An authentication is primary requirement to access this vulnerability. An unauthenticated attacker can route arbitrary network traffic through a vulnerable device, leading to information disclosure, reflective DDoS as well as bypassing network access controls.

POC originally written by Yannay Livneh is available in the CERT/CC Github repository. Researcher have two scenarios namely, Spoof mode and Bypass mode to exploit packet processing.

The affected devices can be exploited using a crafted packet, due to which it will unexpectedly decapsulate and process IP in IP packet that are supposed to be for a local IP address. This will eventually lead to forwarding of inner IP packet which in turn causes bypass of input Access Control Lists, that also carry information of the network as well. Affected devices might crash and leads to DOS condition.

Affected Products:

Cisco NX-OS Software

Nexus 1000 Virtual Edge for VMware vSphere

Nexus 1000V Switch for Microsoft Hyper-V

Nexus 1000V Switch for VMware vSphere

Nexus 3000 Series Switches

Nexus 5500 Platform Switches

Nexus 5600 Platform Switches

Nexus 6000 Series Switches

Nexus 7000 Series Switches

Nexus 9000 Series Switches in standalone NX-OS mode

UCS 6200 Series Fabric Interconnects

UCS 6300 Series Fabric Interconnects

Advisory:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4

Mitigation:

Cisco has updated the patch and released for CVE-2020-10136.

Users can block IP-in-IP packets by filtering IP protocol number 4.

Note: This filtering is for the IPv4 Protocol (or IPv6 Next Header) field value of 4 and not IP protocol version 4 (IPv4).

Qualys customers can scan their network with QID(s)# 316622 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.

References & Sources:

 

Leave a Reply

Your email address will not be published. Required fields are marked *