IP-in-IP Vulnerability Affects Devices From Cisco and Others
A vulnerability related to the IP-in-IP tunneling protocol that can be exploited for denial-of-service (DoS) attacks and to bypass security controls has been found to impact devices from Cisco and other vendors.
“An unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls,” the CERT Coordination Center (CERT/CC) said in an advisory published on Tuesday.
Cisco has released security updates to address the vulnerability in its NX-OS software. Tracked as CVE-2020-10136 and featuring a CVSS score of 8.6, the security flaw was identified in the network stack of the software and it can be exploited by a remote attacker, without authentication.
An attacker able to successfully exploit the issue could bypass certain security boundaries or cause a DoS condition, the company warns.
“The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device,” Cisco explains in an advisory.
An attacker could cause the impacted device to decapsulate the IP-in-IP packet and then forward the inner IP packet, thus causing IP packets to bypass input access control lists (ACLs) on the device or other security boundaries on the network.
“Under certain conditions, an exploit could cause the network stack process to crash and restart multiple times, leading to a reload of the affected device and a DoS condition,” Cisco also explains.
The issue can be triggered by IP-in-IP traffic destined to the affected device, and not by traffic that only transits an affected device. Moreover, it requires for both the carrier and the passenger datagrams in the IP in IP packets to be IPv4, and cannot be triggered if IPv6 datagrams are present. Other tunneling protocol cannot trigger the issue either.
According to the company, the vulnerability impacts the following Nexus switches: 1000 Virtual Edge for VMware vSphere (CSCvu10050), 1000V for Microsoft Hyper-V (CSCvt67738) and VMware vSphere (CSCvt67738), a limited set of 3000 Series (CSCun53663) and 9000 Series in standalone NX-OS mode (CSCun53663), 5500 (CSCvt67739) and 5600 Platform Switches (CSCvt67739), 6000 (CSCvt67739) and 7000 (CSCvt66624) Series, and UCS 6200 (CSCvu03158) and UCS 6300 (CSCvt67740) Series Fabric Interconnects.
Cisco also explains that even devices that do not have an IP in IP tunnel interface configured are affected. UCS Fabric Interconnects, on the other hand, are impacted only when NetFlow monitoring is enabled and “a flow exporter profile is configured with a source IP address set for the exporter interface.”
Firepower 1000 Series, Firepower 2100 Series, Firepower 4100 Series, Firepower 9300 Security Appliances, MDS 9000 Series Multilayer Switches, Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode, and UCS 6400 Series Fabric Interconnects are not affected.
Cisco has released software updates to address the issue and also detailed workaround steps customers can take to mitigate the vulnerability. The company says it is not aware of the vulnerability being exploited in attacks.
CERT/CC reveals that products from Digi International, Hewlett Packard Enterprise, and Treck are also affected. Digi International addressed the bug with the release of SAROS VERSION 18.104.22.168 (Bootloader 7.67) on 23 April 2020, while Treck fixed it in release 22.214.171.124.
A proof-of-concept (PoC) exploiting the vulnerability was made public in the CERT/CC PoC repository.