IP-in-IP flaw affects devices from Cisco and other vendors

Pierluigi Paganini June 02, 2020

A flaw in the IP-in-IP tunneling protocol that can be exploited for DoS attacks and to bypass security controls impact devices from Cisco and other vendors.

A vulnerability that affects the IP-in-IP tunneling protocol (aka IP Encapsulation within IP) implemented by Cisco and other vendors could be exploited for denial-of-service (DoS) attacks and to bypass security controls.

IP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets. The vulnerability, tracked as CVE-2020-10136, has been rated with a CVSS score of 8.6.

The issue can be abused by an unauthenticated attacker to unexpectedly route arbitrary network traffic through a vulnerable device.

“An unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls,” reads the advisory published by the CERT Coordination Center (CERT/CC). “An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination IP addresses. This unexpected Data Processing Error (CWE-19) by a vulnerable device can be abused to perform reflective DDoS and in certain scenarios used to bypass network access control lists.”

Cisco has already addressed the flaw by releasing security updates for its NX-OS software.

“A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to bypass certain security boundaries or cause a denial of service (DoS) condition on an affected device.” states the advisory published by Cisco.

“The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device”

An attacker could exploit the flaw by sending a crafted IP in IP packet to an affected device.

“Under certain conditions, an exploit could cause the network stack process to crash and restart multiple times, leading to a reload of the affected device and a DoS condition,” Cisco also explains.

The list of affected products includes:

According to Cisco’s advisory, the vulnerability also impacts devices that do not have an IP in IP tunnel interface configured. Cisco UCS Fabric Interconnects are affected only when NetFlow monitoring is enabled on the device and a flow exporter profile is configured with a source IP address set for the exporter interface. 

The following products are not affected:

  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • MDS 9000 Series Multilayer Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
  • UCS 6400 Series Fabric Interconnects

According to the CERT/CC, the flaw affects products from Digi International, Hewlett Packard Enterprise, and Treck are also affected.

A proof-of-concept (PoC) code was published by the CERT/CC.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – IP-in-IP, cybersecurity)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment