CVE-2020-10136

2020-06-1006:54:44

redhat.com

access.redhat.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.011 Low

EPSS

Percentile

83.9%

JSON

A flaw was found in the IP-in-IP protocol. An unauthenticated attacker can use the IP-in-IP protocol to route network traffic through a vulnerable device, which can lead to spoofing, access control bypasses, and other unexpected network behaviors.

Mitigation

Systems that have IP in IP kernel modules loaded will need to unload the "ipip" kernel module and blacklist it to prevent the module from being used a fix has been provided ( See <https://access.redhat.com/solutions/41278> for a guide on how to blacklist modules).

Take careful consideration that if unloading and blacklisting the module, this may create a one-time attack vector window for a local attacker.

Consider using an alternative authenticated and encrypted tunnelling protocol until a suitable solution is developed.