Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access control bypass, and other unexpected network behaviors.
{"nessus": [{"lastseen": "2023-01-11T15:15:16", "description": "According to its self-reported version, the Cisco NX-OS Software is affected by a denial of service vulnerability in the network stack due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An unauthenticated, remote attacker can exploit this issue by sending a crafted IP in IP packet to an affected device, to bypass certain security boundaries or cause a denial of service condition on an affected device.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-05T00:00:00", "type": "nessus", "title": "Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability (cisco-sa-nxos-ipip-dos-kCT9X4)", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10136"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/o:cisco:nx-os"], "id": "CISCO-SA-NXOS-IPIP-DOS-KCT9X4.NASL", "href": "https://www.tenable.com/plugins/nessus/137184", "sourceData": "#TRUSTED 9cca2b1be5035da5f115389678a3c8eb640098ab6b0101275a388a78c730ae93a9b7113dcc595117150cbfe82a7e408f0babd92675d6ad49228baaa60b612b0f2cb7a365ddb9e5272cf551eba509eb429a2041466411fcb0249f15ee978b2264c8b6f9692651258acd471c057558db7ba143fde12bcff934a42b0225ca55ed2f5143e2313588674993c9aac3dd2d3d40465de5444f618b74cbbe66fc039c02ab5612a74efcdbaf5e29a68fd93896de125e0d3ac4e75da6766f58c3b1c0ef3c76106ffb9a96de8c293673afa02c61eed77637d1b9f46412343b74a90accc943bb4ede27d59c353c8ed54388302eb5c88fc751c98bdaaadd4554a4c29214469a3d28f2d4e2296cadd34b685d2313876fcf92191ffbe0c8a153263a4254b6977d617d626ba85ad6a72901d32a96f885dd49174c1654f7371ff4ad2a5b6ec72648a8a3675a20b19cf044074514566de3283d6e985161aa70483a8e95b9233bf40660d166bb9457f2718e1c5a54707810c8b776eb47b5f10cfb25b7944abb282fb8e28ba03f93ad24e51924570b6e3b4a5c487df76891204a14d0f6f345656b0ba1913cffb1a8ac0ddc278b17a7e54791403dee394664f2c71aa83619f902fa20f802e375431b70fff9db4958117e7f2f076b9e67ec2be81e47985f81cb4b4475feb751c9bf7ae52459d8a2053c22f9ac27845ad8b123f115585fae156bee14c62d02\n#TRUST-RSA-SHA256 7d2e85f256f9425e900caff44f3018607f8e03d5287c4dfff14fb4a54e287e765eef9f6ec8935244974e13a8016415a66fce86fed6fe136c6c5cdfa4ea4311173da9a4af2e0785adf4627e662aea8b64821854291014f0185b7d8f3a2779c3b950ba28607a1c3b6894cf9fb01afc18a0f04bca0103f9d6ab659f5f7dc8f2779ae1b2c8c2dbaaf95635a1c844b1528fe33be7f6d2733652621250074166a314f821a4114b7f66c593745ab389cd5d9de43c87292d897aa8aaa6842e326ccb45cf0a3598cdc1dcf134238cf1cea0999800ddd15be92b6e5d6bd9a512370a27045199864f3d58150ddde232d121afb97497ac8cf19a4ec409f0dea90fbb118c7609107c146b4c2bca7ed755ad96905471c160436a179a0c29a47255a1aac412e095a39ddbe4a7124c2d603a0d91cb8f8c99a70579ea2b60a5daf05982af9ebe8f1db49ad9d5bc84b39d72dbf3cacd86ad2aeb5157c8ecc1e3aba83ee919b5c05a4a2e4ad62c70102b55fbfd6753c824e2437fe7f934fa85dfa3abbd15b9565885dccb2b5fa36413cbf09a5444e295c56c1f661a9dcfee10cdc292a371de21edef81acb5cbeb27432f509d28e815a4ea4f022a8605e56d63a0f0c4b17d9b6ec4454dacca84a353d17561214c0b0780c36be59a45912d21565dda1e21e1a4d99ea9b3d695fc373639280646e3f0f6fe5b9a4ef1ccd0c7f18dfc697afc28e646868c31\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137184);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2020-10136\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCun53663\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt66624\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt67738\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt67739\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvt67740\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu03158\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvu10050\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-nxos-ipip-dos-kCT9X4\");\n script_xref(name:\"IAVA\", value:\"2020-A-0233\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0049\");\n\n script_name(english:\"Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability (cisco-sa-nxos-ipip-dos-kCT9X4)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco NX-OS Software is affected by a denial of service vulnerability in\nthe network stack due to the affected device unexpectedly decapsulating and processing IP in IP packets that are\ndestined to a locally configured IP address. An unauthenticated, remote attacker can exploit this issue by sending a\ncrafted IP in IP packet to an affected device, to bypass certain security boundaries or cause a denial of service\ncondition on an affected device.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0f50ed05\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCun53663\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt66624\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67738\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67739\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt67740\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu03158\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu10050\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version or apply the workaround referenced in Cisco bug IDs CSCun53663, CSCvt66624,\nCSCvt67738, CSCvt67739, CSCvt67740, CSCvu03158 and CSCvu10050 or alternatively apply the workaround mentioned \nin the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-10136\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:cisco:nx-os\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_nxos_version.nasl\", \"cisco_enum_smu.nasl\");\n script_require_keys(\"Host/Cisco/NX-OS/Version\", \"Host/Cisco/NX-OS/Model\", \"Host/Cisco/NX-OS/Device\");\n\n exit(0);\n}\n\ninclude('cisco_workarounds.inc');\ninclude('ccf.inc');\n\nproduct_info = cisco::get_product_info(name:'Cisco NX-OS Software');\n\ncbi = '';\n\nif ('Nexus' >< product_info.device)\n{\n if (product_info.model =~ \"^10[0-9][0-9]\"){\n cbi = 'CSCvu10050, CSCvt67738';\n version_list = make_list(\n '5.2(1)SK3(1.1)',\n '5.2(1)SK3(2.1)',\n '5.2(1)SK3(2.1a)',\n '5.2(1)SK3(2.2)',\n '5.2(1)SK3(2.2b)',\n '5.2(1)SM1(5.1)',\n '5.2(1)SM1(5.2)',\n '5.2(1)SM1(5.2a)',\n '5.2(1)SM1(5.2b)',\n '5.2(1)SM1(5.2c)',\n '5.2(1)SM3(1.1)',\n '5.2(1)SM3(1.1a)',\n '5.2(1)SM3(1.1b)',\n '5.2(1)SM3(1.1c)',\n '5.2(1)SM3(2.1)',\n '5.2(1)SV3(1.1)',\n '5.2(1)SV3(1.10)',\n '5.2(1)SV3(1.15)',\n '5.2(1)SV3(1.2)',\n '5.2(1)SV3(1.3)',\n '5.2(1)SV3(1.4)',\n '5.2(1)SV3(1.4b)',\n '5.2(1)SV3(1.5a)',\n '5.2(1)SV3(1.5b)',\n '5.2(1)SV3(1.6)',\n '5.2(1)SV3(2.1)',\n '5.2(1)SV3(2.5)',\n '5.2(1)SV3(2.8)',\n '5.2(1)SV3(3.1)',\n '5.2(1)SV3(3.15)',\n '5.2(1)SV3(4.1)',\n '5.2(1)SV3(4.1a)',\n '5.2(1)SV3(4.1b)',\n '5.2(1)SV5(1.1)',\n '5.2(1)SV5(1.2)',\n '5.2(1)SV5(1.3)'\n );\n }\n\n if (product_info.model =~ \"^3[0-9]{3}\")\n {\n cbi = 'CSCun53663';\n version_list = make_list(\n '5.0(3)A1(1)',\n '5.0(3)A1(2)',\n '5.0(3)A1(2a)',\n '5.0(3)U1(1)',\n '5.0(3)U1(1a)',\n '5.0(3)U1(1b)',\n '5.0(3)U1(1c)',\n '5.0(3)U1(1d)',\n '5.0(3)U1(2)',\n '5.0(3)U1(2a)',\n '5.0(3)U2(1)',\n '5.0(3)U2(2)',\n '5.0(3)U2(2a)',\n '5.0(3)U2(2b)',\n '5.0(3)U2(2c)',\n '5.0(3)U2(2d)',\n '5.0(3)U3(1)',\n '5.0(3)U3(2)',\n '5.0(3)U3(2a)',\n '5.0(3)U3(2b)',\n '5.0(3)U4(1)',\n '5.0(3)U5(1)',\n '5.0(3)U5(1a)',\n '5.0(3)U5(1b)',\n '5.0(3)U5(1c)',\n '5.0(3)U5(1d)',\n '5.0(3)U5(1e)',\n '5.0(3)U5(1f)',\n '5.0(3)U5(1g)',\n '5.0(3)U5(1h)',\n '5.0(3)U5(1i)',\n '5.0(3)U5(1j)',\n '6.0(2)A1(1)',\n '6.0(2)A1(1a)',\n '6.0(2)A1(1b)',\n '6.0(2)A1(1c)',\n '6.0(2)A1(1d)',\n '6.0(2)A1(1e)',\n '6.0(2)A1(1f)',\n '6.0(2)A1(2d)',\n '6.0(2)A3(1)',\n '6.0(2)A3(2)',\n '6.0(2)A3(4)',\n '6.0(2)A4(1)',\n '6.0(2)A4(2)',\n '6.0(2)A4(3)',\n '6.0(2)A4(4)',\n '6.0(2)A4(5)',\n '6.0(2)A4(6)',\n '6.0(2)U1(1)',\n '6.0(2)U1(1a)',\n '6.0(2)U1(2)',\n '6.0(2)U1(3)',\n '6.0(2)U1(4)',\n '6.0(2)U2(1)',\n '6.0(2)U2(2)',\n '6.0(2)U2(3)',\n '6.0(2)U2(4)',\n '6.0(2)U2(5)',\n '6.0(2)U2(6)',\n '6.0(2)U3(1)',\n '6.0(2)U3(2)',\n '6.0(2)U3(3)',\n '6.0(2)U3(4)',\n '6.0(2)U3(5)',\n '6.0(2)U3(6)',\n '6.0(2)U3(7)',\n '6.0(2)U3(8)',\n '6.0(2)U3(9)',\n '6.0(2)U4(1)',\n '6.0(2)U4(2)',\n '6.0(2)U4(3)',\n '6.0(2)U4(4)',\n '6.1(2)I2(2a)',\n '6.1(2)I2(2b)',\n '6.1(2)I3(1)',\n '6.1(2)I3(2)',\n '6.1(2)I3(3)',\n '6.1(2)I3(3a)',\n '7.0(3)I1(1)',\n '7.0(3)I1(1a)',\n '7.0(3)I1(1b)',\n '7.0(3)I1(1z)'\n );\n }\n\n if (product_info.model =~ \"^5[56][0-9][0-9]\"){\n cbi = 'CSCvt67739';\n version_list = make_list(\n '5.2(1)N1(1)',\n '5.2(1)N1(1a)',\n '5.2(1)N1(1b)',\n '5.2(1)N1(2)',\n '5.2(1)N1(2a)',\n '5.2(1)N1(3)',\n '5.2(1)N1(4)',\n '5.2(1)N1(5)',\n '5.2(1)N1(6)',\n '5.2(1)N1(7)',\n '5.2(1)N1(8)',\n '5.2(1)N1(8a)',\n '5.2(1)N1(8b)',\n '5.2(1)N1(9)',\n '5.2(1)N1(9a)',\n '5.2(1)N1(9b)',\n '6.0(2)N1(1)',\n '6.0(2)N1(1a)',\n '6.0(2)N1(2)',\n '6.0(2)N1(2a)',\n '6.0(2)N2(1)',\n '6.0(2)N2(1b)',\n '6.0(2)N2(2)',\n '6.0(2)N2(3)',\n '6.0(2)N2(4)',\n '6.0(2)N2(5)',\n '6.0(2)N2(5a)',\n '6.0(2)N2(5b)',\n '6.0(2)N2(6)',\n '6.0(2)N2(7)',\n '7.0(0)N1(1)',\n '7.0(1)N1(1)',\n '7.0(2)N1(1)',\n '7.0(3)N1(1)',\n '7.0(4)N1(1)',\n '7.0(4)N1(1a)',\n '7.0(5)N1(1)',\n '7.0(5)N1(1a)',\n '7.0(6)N1(1)',\n '7.0(6)N1(2s)',\n '7.0(6)N1(3s)',\n '7.0(6)N1(4s)',\n '7.0(7)N1(1)',\n '7.0(7)N1(1a)',\n '7.0(7)N1(1b)',\n '7.0(8)N1(1)',\n '7.0(8)N1(1a)',\n '7.1(0)N1(1)',\n '7.1(0)N1(1a)',\n '7.1(0)N1(1b)',\n '7.1(1)N1(1)',\n '7.1(1)N1(1a)',\n '7.1(2)N1(1)',\n '7.1(2)N1(1a)',\n '7.1(3)N1(1)',\n '7.1(3)N1(2)',\n '7.1(3)N1(2a)',\n '7.1(3)N1(3)',\n '7.1(3)N1(4)',\n '7.1(3)N1(5)',\n '7.1(4)N1(1)',\n '7.1(4)N1(1a)',\n '7.1(4)N1(1c)',\n '7.1(4)N1(1d)',\n '7.1(5)N1(1)',\n '7.1(5)N1(1b)',\n '7.2(0)N1(1)',\n '7.2(1)N1(1)',\n '7.3(0)N1(1)',\n '7.3(0)N1(1a)',\n '7.3(0)N1(1b)',\n '7.3(1)N1(1)',\n '7.3(2)N1(1)',\n '7.3(2)N1(1b)',\n '7.3(2)N1(1c)',\n '7.3(3)N1(1)',\n '7.3(4)N1(1)',\n '7.3(4)N1(1a)',\n '7.3(5)N1(1)',\n '7.3(6)N1(1)',\n '7.3(6)N1(1a)',\n '7.3(7)N1(1)',\n '7.3(7)N1(1a)'\n );\n }\n\n if (product_info.model =~ \"^60[0-9][0-9]\"){\n cbi = 'CSCvt67739';\n version_list = make_list(\n '6.0(2)N1(1)',\n '6.0(2)N1(1a)',\n '6.0(2)N1(2)',\n '6.0(2)N1(2a)',\n '6.0(2)N2(1)',\n '6.0(2)N2(1b)',\n '6.0(2)N2(2)',\n '6.0(2)N2(3)',\n '6.0(2)N2(4)',\n '6.0(2)N2(5)',\n '6.0(2)N2(5a)',\n '6.0(2)N2(5b)',\n '6.0(2)N2(6)',\n '6.0(2)N2(7)',\n '7.0(0)N1(1)',\n '7.0(1)N1(1)',\n '7.0(2)N1(1)',\n '7.0(3)N1(1)',\n '7.0(4)N1(1)',\n '7.0(4)N1(1a)',\n '7.0(5)N1(1)',\n '7.0(5)N1(1a)',\n '7.0(6)N1(1)',\n '7.0(6)N1(2s)',\n '7.0(6)N1(3s)',\n '7.0(6)N1(4s)',\n '7.0(7)N1(1)',\n '7.0(7)N1(1a)',\n '7.0(7)N1(1b)',\n '7.0(8)N1(1)',\n '7.0(8)N1(1a)',\n '7.1(0)N1(1)',\n '7.1(0)N1(1a)',\n '7.1(0)N1(1b)',\n '7.1(1)N1(1)',\n '7.1(1)N1(1a)',\n '7.1(2)N1(1)',\n '7.1(2)N1(1a)',\n '7.1(3)N1(1)',\n '7.1(3)N1(2)',\n '7.1(3)N1(2a)',\n '7.1(3)N1(3)',\n '7.1(3)N1(4)',\n '7.1(3)N1(5)',\n '7.1(4)N1(1)',\n '7.1(4)N1(1a)',\n '7.1(4)N1(1c)',\n '7.1(4)N1(1d)',\n '7.1(5)N1(1)',\n '7.1(5)N1(1b)',\n '7.2(0)N1(1)',\n '7.2(1)N1(1)',\n '7.3(0)N1(1)',\n '7.3(0)N1(1a)',\n '7.3(0)N1(1b)',\n '7.3(1)N1(1)',\n '7.3(2)N1(1)',\n '7.3(2)N1(1b)',\n '7.3(2)N1(1c)',\n '7.3(3)N1(1)',\n '7.3(4)N1(1)',\n '7.3(4)N1(1a)',\n '7.3(5)N1(1)',\n '7.3(6)N1(1)',\n '7.3(6)N1(1a)',\n '7.3(7)N1(1)',\n '7.3(7)N1(1a)'\n );\n \n }\n\n if (product_info.model =~ \"^70[0-9][0-9]\")\n {\n cbi = 'CSCvt66624';\n smus['7.3(6)D1(1)'] = 'CSCvt66624';\n version_list = make_list(\n '5.2(1)',\n '5.2(3)',\n '5.2(3a)',\n '5.2(4)',\n '5.2(5)',\n '5.2(7)',\n '5.2(9)',\n '5.2(9a)',\n '6.2(10)',\n '6.2(12)',\n '6.2(14)',\n '6.2(14a)',\n '6.2(14b)',\n '6.2(16)',\n '6.2(18)',\n '6.2(2)',\n '6.2(20)',\n '6.2(20a)',\n '6.2(22)',\n '6.2(24)',\n '6.2(2a)',\n '6.2(6)',\n '6.2(6a)',\n '6.2(6b)',\n '6.2(8)',\n '6.2(8a)',\n '6.2(8b)',\n '7.2(0)D1(1)',\n '7.2(1)D1(1)',\n '7.2(2)D1(1)',\n '7.2(2)D1(2)',\n '7.2(2)D1(3)',\n '7.2(2)D1(4)',\n '7.3(0)D1(1)',\n '7.3(0)DX(1)',\n '7.3(1)D1(1)',\n '7.3(2)D1(1)',\n '7.3(2)D1(1d)',\n '7.3(2)D1(2)',\n '7.3(2)D1(3)',\n '7.3(2)D1(3a)',\n '7.3(3)D1(1)',\n '7.3(4)D1(1)',\n '7.3(5)D1(1)',\n '7.3(6)D1(1)'\n );\n }\n\n if (product_info.model =~ \"^90[0-9][0-9]\")\n {\n cbi = 'CSCun53663';\n version_list = make_list(\n '6.1(2)I1(2)',\n '6.1(2)I1(3)',\n '6.1(2)I2(1)',\n '6.1(2)I2(2)',\n '6.1(2)I2(2a)',\n '6.1(2)I2(2b)',\n '6.1(2)I2(3)',\n '6.1(2)I3(1)',\n '6.1(2)I3(2)',\n '6.1(2)I3(3)',\n '6.1(2)I3(3a)',\n '7.0(3)I1(1)',\n '7.0(3)I1(1a)',\n '7.0(3)I1(1b)',\n '7.0(3)I1(1z)'\n );\n }\n}\n\nif (empty_or_null(cbi)) audit(AUDIT_HOST_NOT, 'an affected model');\n\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_WARNING,\n 'version' , product_info.version,\n 'bug_id' , cbi,\n 'disable_caveat', TRUE\n);\n\ncisco::check_and_report(\n product_info:product_info,\n workarounds:workarounds,\n workaround_params:workaround_params,\n reporting:reporting,\n vuln_versions:version_list,\n switch_only:TRUE,\n smus:smus\n);\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "f5": [{"lastseen": "2021-09-01T13:00:43", "description": "Multiple products that implement the IP Encapsulation within IP standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access control bypass, and other unexpected network behaviors. ([CVE-2020-10136](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10136>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-07-01T05:52:00", "type": "f5", "title": "IP-in-IP Packet Processing vulnerability CVE-2020-10136", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10136"], "modified": "2020-07-01T05:52:00", "id": "F5:K44453423", "href": "https://support.f5.com/csp/article/K44453423", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "cisco": [{"lastseen": "2022-12-22T12:19:03", "description": "A vulnerability in the network stack of Cisco NX-OS Software could allow an unauthenticated, remote attacker to bypass certain security boundaries or cause a denial of service (DoS) condition on an affected device.\n\nThe vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device. A successful exploit could cause the affected device to unexpectedly decapsulate the IP in IP packet and forward the inner IP packet. This may result in IP packets bypassing input access control lists (ACLs) configured on the affected device or other security boundaries defined elsewhere in the network.\n\nUnder certain conditions, an exploit could cause the network stack process to crash and restart multiple times, leading to a reload of the affected device and a DoS condition.\n\nCisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4 [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4\"]", "cvss3": {}, "published": "2020-06-01T16:00:00", "type": "cisco", "title": "Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2020-10136"], "modified": "2020-06-01T16:00:00", "id": "CISCO-SA-NXOS-IPIP-DOS-KCT9X4", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4", "cvss": {"score": 8.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}}], "cert": [{"lastseen": "2022-02-01T00:00:00", "description": "### Overview\n\nIP Encapsulation within IP (RFC2003 IP-in-IP) can be abused by an unauthenticated attacker to unexpectedly route arbitrary network traffic through a vulnerable device.\n\n### Description\n\nIP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets. This is very similar to IPSEC VPNs in tunnel mode, except in the case of IP-in-IP, the traffic is unencrypted. As specified, the protocol unwraps the inner IP packet and forwards this packet through IP routing tables, potentially providing unexpected access to network paths available to the vulnerable device. An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination IP addresses. This unexpected Data Processing Error (CWE-19) by a vulnerable device can be abused to perform reflective DDoS and in certain scenarios used to bypass network access control lists. Because the forwarded network packet may not be inspected or verified by vulnerable devices, there are possibly other unexpected behaviors that can be abused by an attacker on the target device or the target device's network environment.\n\n### Impact\n\nAn unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls.\n\n### Solution\n\n#### Apply updates\n\nThe CERT/CC recommends that you apply the latest patch provided by the affected vendor that addresses this issue. Review the vendor information below or contact your vendor or supplier for specific mitigation advice. If a device has the ability to disable IP-in-IP in its configuration, it is recommended that you disable IP-in-IP in all interfaces that do not require this feature. Device manufacturers are urged to disable IP-in-IP in their default configuration and to require their customers to explicitly configure IP-in-IP as and when needed.\n\n#### Disable IP-in-IP\n\nUsers can block IP-in-IP packets by filtering IP protocol number 4. Note this filtering is for the IPv4 Protocol (or IPv6 Next Header) field value of 4 and _not_ IP protocol version 4 (IPv4).\n\n#### Proof of Concept (PoC)\n\nA proof-of-concept originally written by Yannay Livneh is [available](<https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2020-10136>) in the CERT/CC PoC respository.\n\n#### Detection Signature (IDS)\n\nThis Snort IDS rule looks for any IP-in-IP traffic, whether intentional or not seen at upstream network path of a vulnerable device. This Snort or Suricata rule can be modified to apply filters that ignore sources and destinations that are allowed by policy to route IP-in-IP traffic.\n\n`alert ip any any -> any any (msg: \"IP-in-IP Tunneling VU#636397 https://kb.cert.org\"; ip_proto:4; sid: 1367636397; rev:1;)`\n\n### Acknowledgements\n\nThanks to Yannay Livneh for reporting this issue to us.\n\nThis document was written by Vijay Sarvepalli.\n\n### Vendor Information\n\n636397\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Cisco __ Affected\n\nNotified: 2020-03-26 Updated: 2020-06-24 **CVE-2020-10136**| Affected \n---|--- \n \n#### Vendor Statement\n\nPlease visit Cisco public advisory https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4\n\n#### References\n\n * <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4>\n\n### Digi International __ Affected\n\nUpdated: 2020-06-24 **CVE-2020-10136**| Affected \n---|--- \n \n#### Vendor Statement\n\nSAROS VERSION 8.1.0.1 (Bootloader 7.67) released on 23 April 2020 fixes this issue.\n\n#### References\n\n * <https://www.digi.com/resources/security>\n\n### HP Inc. __ Affected\n\nUpdated: 2020-06-24 **CVE-2020-10136**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://support.hp.com/us-en/document/c06640149>\n\n#### CERT Addendum\n\nHP Security Bulletin c06640149 addresses this vulnerability along with others impacting HP Samsung branded printers. https://support.hp.com/us-en/document/c06640149\n\n### Samsung __ Affected\n\nUpdated: 2020-06-24 **CVE-2020-10136**| Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### CERT Addendum\n\nAs of September 12, 2016, HP has acquired and presently owns Samsung printer\u2019s division. Please see HP vendor section for further information. https://investor.hp.com/news/press-release-details/2016/HP-Acquires-Samsung-Printer-Business/default.aspx\n\n### Treck __ Affected\n\nUpdated: 2020-06-24 **CVE-2020-10136**| Affected \n---|--- \n \n#### Vendor Statement\n\nStarting with Treck release 6.0.1.67, configuring a 6over4 tunnel no longer automatically enables IP encapsulation within IP\n\n#### CERT Addendum\n\nPlease update your Treck embedded TCP/IP software to the version 6.0.1.67 or later to prevent unexpected tunneling behavior in your TCP/IP stack.\n\n### Allegro Software Development Corporation __ Not Affected\n\nNotified: 2020-04-09 Updated: 2020-06-24 **CVE-2020-10136**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAllegro Software does not provide operating systems or network TCP/IP stack. Only webserver software is OEM sold to device manufacturers\n\n### Aruba Networks __ Not Affected\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nAruba Networks has tested products across our range and has not found the vulnerable behavior to be allowed anywhere. To the best of our knowledge no Aruba Network products are affected by this vulnerability.\n\n### Joyent __ Not Affected\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nDefault configurations of illumos, even where packet-forwarding is enabled (see the routeadm(1M) man page), should not be vulnerable to this attack.\n\n### LANCOM Systems GmbH __ Not Affected\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nLANCOM Systems products are not vulnerable to these vulnerabilities.\n\n### Sierra Wireless __ Not Affected\n\nUpdated: 2020-06-24 **CVE-2020-10136**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have surveyed our products and determined we are unaffected by this issue.\n\n#### References\n\n * <https://www.sierrawireless.com/company/security/>\n\n### TP-LINK Not Affected\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Technicolor Not Affected\n\nNotified: 2020-06-15 Updated: 2020-06-24\n\n**Statement Date: June 23, 2020**\n\n**CVE-2020-10136**| Not Affected \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### A10 Networks Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ADTRAN Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ANTlabs Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ARRIS Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ASUSTeK Computer Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AVM GmbH Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Actelis Networks Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Actiontec Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Advantech B-B Technology Unknown\n\nNotified: 2020-04-08 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AhnLab Inc Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### AirWatch Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Akamai Technologies Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Alcatel-Lucent Enterprise Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Alpine Linux Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Amazon Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Android Open Source Project Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Arch Linux Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Aspera Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Barracuda Networks Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Bell Canada Enterprises Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### BlackBerry Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### BlueCat Networks Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Blunk Microsystems Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Brocade Communication Systems Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Buffalo Technology Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CA Technologies Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CZ.NIC Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cambium Networks Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cirpack Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Contiki OS Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### CoreOS Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Cypress Semiconductor Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### D-Link Systems Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Dell SecureWorks Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### DesktopBSD Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Deutsche Telekom Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### DragonFly BSD Project Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### ENEA Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### EfficientIP Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### European Registry for Internet Domains Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F-Secure Corporation Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### F5 Networks Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Fedora Project Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Foundry Brocade Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### GNU adns Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Geexbox Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Gentoo Linux Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Google Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Green Hills Software Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HCC Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### HardenedBSD Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Huawei Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### IBM Corporation (zseries) Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Intel Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Juniper Networks Unknown\n\nNotified: 2020-04-28 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LG Electronics Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LITE-ON Technology Corporation Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lancope Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lantronix Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LibreSSL Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Linksys Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### LiteSpeed Technologies Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Lynx Software Technologies Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Maipu Communication Technology Unknown\n\nUpdated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Marvell Semiconductor Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### McAfee Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### McCain Inc Unknown\n\nUpdated: 2020-09-30 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Men & Mice Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Microchip Technology Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Microsoft Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Miredo Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Mitel Networks Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Muonics Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NEC Corporation Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NIKSUN Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NLnet Labs Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NetBSD Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### NetBurner Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nexenta Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nixu Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nokia Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Nominum Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### OpenConnect Ltd Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Oracle Corporation Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Paessler Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Palo Alto Networks Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Philips Electronics Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Proxim Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### QLogic Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Qualcomm Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Red Hat Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Riverbed Technologies Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Rocket RTOS (Inactive) Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ruckus Wireless Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SMC Networks Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SUSE Linux Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Secure64 Software Corporation Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### SmoothWall Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Snort Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sonos Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sony Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Sophos Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Symantec Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TCPWave Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Tenable Network Security Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### TippingPoint Technologies Inc. Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Tizen Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Turbolinux Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Ubiquiti Networks Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### VMware Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### WizNET Technology Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Xiaomi Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Zebra Technologies Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Zephyr Project Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### eero Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### lwIP Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### netsnmpj Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### wolfSSL Unknown\n\nNotified: 2020-04-29 Updated: 2020-06-24 **CVE-2020-10136**| Unknown \n---|--- \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\nView all 132 vendors __View less vendors __\n\n \n\n\n### References\n\n * <https://tools.ietf.org/html/rfc2003>\n * <https://tools.ietf.org/html/rfc6169>\n * <https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2020-10136>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-10136 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-10136>) \n---|--- \n**Date Public:** | 2020-06-01 \n**Date First Published:** | 2020-06-02 \n**Date Last Updated: ** | 2020-09-30 18:58 UTC \n**Document Revision: ** | 14 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2020-06-02T00:00:00", "type": "cert", "title": "IP-in-IP protocol routes arbitrary traffic by default", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10136"], "modified": "2020-09-30T18:58:00", "id": "VU:636397", "href": "https://www.kb.cert.org/vuls/id/636397", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "redhatcve": [{"lastseen": "2023-02-01T05:16:15", "description": "A flaw was found in the IP-in-IP protocol. An unauthenticated attacker can use the IP-in-IP protocol to route network traffic through a vulnerable device, which can lead to spoofing, access control bypasses, and other unexpected network behaviors.\n#### Mitigation\n\nSystems that have IP in IP kernel modules loaded will need to unload the "ipip" kernel module and blacklist it to prevent the module from being used a fix has been provided ( See <https://access.redhat.com/solutions/41278> for a guide on how to blacklist modules). \n\n\nTake careful consideration that if unloading and blacklisting the module, this may create a one-time attack vector window for a local attacker. \n\n\nConsider using an alternative authenticated and encrypted tunnelling protocol until a suitable solution is developed. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-10T06:54:44", "type": "redhatcve", "title": "CVE-2020-10136", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10136"], "modified": "2023-02-01T04:53:19", "id": "RH:CVE-2020-10136", "href": "https://access.redhat.com/security/cve/cve-2020-10136", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "hackerone": [{"lastseen": "2023-02-04T17:37:50", "bounty": 750.0, "description": "Many machines (150K-180K) on the internet accept and route IP over IP by default.\n\nIP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets. This is very similar to IPSEC VPNs in tunnel mode, except in the case of IP-in-IP, the traffic is unencrypted. As specified, the protocol unwraps the inner IP packet and forwards this packet through IP routing tables, potentially providing unexpected access to network paths available to the vulnerable device. An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination IP addresses. This unexpected Data Processing Error (CWE-19) by a vulnerable device can be abused to perform reflective DDoS and in certain scenarios used to bypass network access control lists. Because the forwarded network packet may not be inspected or verified by vulnerable devices, there are possibly other unexpected behaviors that can be abused by an attacker on the target device or the target device's network environment.\n\nSee full details here (\"Description\" copied here):\nhttps://kb.cert.org/vuls/id/636397\n\n## Impact\n\nAn unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-06-08T15:56:21", "type": "hackerone", "title": "Internet Bug Bounty: IP-in-IP protocol routes arbitrary traffic by default - CVE-2020-10136", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-10136"], "modified": "2021-08-15T05:03:49", "id": "H1:893922", "href": "https://hackerone.com/reports/893922", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "threatpost": [{"lastseen": "2020-10-15T22:19:01", "description": "Cisco has patched a high-severity flaw in its NX-OS software, the network operating system used by Cisco\u2019s Nexus-series Ethernet switches.\n\nIf exploited, the vulnerability could allow an unauthenticated, remote attacker to bypass the input access control lists (ACLs) configured on affected Nexus switches \u2013 and launch a denial of service (DoS) attacks on the devices.\n\n\u201cA successful exploit could cause the affected device to unexpectedly decapsulate the IP-in-IP packet and forward the inner IP packet,\u201d according to Cisco\u2019s security advisory, [published on Monday](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4>). \u201cThis may result in IP packets bypassing input ACLs configured on the affected device or other security boundaries defined elsewhere in the network.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability ([CVE-2020-10136](<https://nvd.nist.gov/vuln/detail/CVE-2020-10136>)) stems from the network stack of Cisco\u2019s NX-OS software. Specifically, it exists in a tunneling protocol called IP-in-IP encapsulation. This protocol allows IP packets to be encapsulated inside another IP packet. The IP-in-IP protocol on the affected software were accepting IP-in-IP packets from any source \u2014 to any destination \u2014 without explicit configuration between the specified source and destination IP addresses.\n\nAn attacker could exploit this issue by sending a crafted IP-in-IP packet to an affected device. Cisco said that under \u201ccertain conditions,\u201d the crafted packets could cause the network stack process to crash and restart multiple times \u2014 ultimately leading to DoS for affected devices.\n\nSpecifically impacted by the flaw are the Nexus 1000, 3000, 5500, 5600, 6000, 7000 and 9000 series, as well as Cisco Unified Computing System (UCS) 6200 and 06300 Series Fabric Interconnects (see a full list of affected models below). Users can also check whether their version of Cisco NX-OS is impacted using a [checking tool available on Cisco\u2019s advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/02110207/cisco-flaw.png>)\n\nUsers can update to the latest patch, and, \u201cif a device has the ability to disable IP-in-IP in its configuration, it is recommended that you disable IP-in-IP in all interfaces that do not require this feature,\u201d according to a [Tuesday CERT Coordination Center notice](<https://kb.cert.org/vuls/id/636397>). \u201cDevice manufacturers are urged to disable IP-in-IP in their default configuration and to require their customers to explicitly configure IP-in-IP as and when needed.\u201d\n\nProof-of-concept (PoC) exploit code was released for the bug by [Yannay Livneh](<https://github.com/CERTCC/PoC-Exploits/tree/master/cve-2020-10136>), who had also discovered the flaw.\n\n\u201cYou can use this code to verify if your device supports default IP-in-IP encapsulation from arbitrary sources to arbitrary destinations,\u201d said Livneh on GitHub. \u201cThe intended use of this code requires at least two more devices with distinct IP addresses for these two devices.\u201d\n\nCisco said it is \u201cnot aware of any public announcements or malicious use of the vulnerability.\u201d The vulnerability ranks 8.6 out of 10 on the CVSS scale, making it high severity.\n\nThe flaw [comes a week after Cisco announced](<https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/>) that attackers were able to compromise its servers, after exploiting two known, critical[ SaltStack vulnerabilities](<https://threatpost.com/salt-bugs-full-rce-root-cloud-servers/155383/>). The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.\n\n**_Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On _**[**_June 3 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, _**[**_Taming the Unmanaged and IoT Device Tsunami_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_. Get exclusive insights on how to manage this new and growing attack surface. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/1837650474090338831?source=ART>)**_ for this sponsored webinar._**\n", "cvss3": {}, "published": "2020-06-02T16:16:31", "type": "threatpost", "title": "Severe Cisco DoS Flaw Can Cripple Nexus Switches", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-10136", "CVE-2020-24400", "CVE-2020-24407", "CVE-2020-5135"], "modified": "2020-06-02T16:16:31", "id": "THREATPOST:B664DFB1B57D66837AE025D5CD687F70", "href": "https://threatpost.com/cisco-dos-flaw-nexus-switches/156203/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}]}