IP-in-IP protocol routes arbitrary traffic by default

mood · Jun 2, 2020

IP-in-IP protocol routes arbitrary traffic by default
Vulnerability Note VU#636397
June 2, 2020
https://kb.cert.org/vuls/id/636397

Overview
IP Encapsulation within IP (RFC2003 IP-in-IP) can be abused by an unauthenticated attacker to unexpectedly route arbitrary network traffic through a vulnerable device.
Description
IP-in-IP encapsulation is a tunneling protocol specified in RFC 2003 that allows for IP packets to be encapsulated inside another IP packets.

Because the forwarded network packet may not be inspected or verified by vulnerable devices, there are possibly other unexpected behaviors that can be abused by an attacker on the target device or the target device's network environment.
Impact
An unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls.
Click to expand...

Solution
Apply updates
The CERT/CC recommends that you apply the latest patch provided by the affected vendor that addresses this issue.
Disable IP-in-IP
An impacted customer can prevent IP-in-IP packets by filtering IP protcol 4 packets at the upstream router or another device. Note that this filtering is for IP protocol header value of 4 and NOT the IP protocol version of 4 (IPv4).
Proof of Concept (PoC)
A proof-of-concept originally written by Yannay Livneh is available in the CERT/CC PoC respository. [...]
Click to expand...

mood · Jun 2, 2020

Cisco warns: These Nexus switches have been hit by a serious security flaw
Proof-of-concept exploit code is publicly available for a high-severity security flaw affecting Cisco's Nexus switches
June 2, 2020
https://www.zdnet.com/article/cisco...hes-have-been-hit-by-a-serious-security-flaw/

Cisco has warned customers with Nexus switches running its NX-OS software to install updates to address a serious flaw that allows a remote attacker to bypass network access controls and route malicious internet traffic to internal networks.

This bug, tracked as CVE-2020-10136, can be used to trigger a denial of service on affected Nexus switches or, more worryingly, route traffic from an attacker's machine to a target's internal network after bypassing input Access Control Lists (ACLs) for filtering incoming internet traffic.

"An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination IP addresses," writes Sarvepalli.
And that's the problem affecting multiple Cisco Nexus NX-OS devices that support IP-in-IP packet encapsulation and decapsulation: they aren't meant to decapsulate and process any IP in IP traffic to a device's tunnel interface unless it's been manually configured with ACL inbound tunnel controls.
Click to expand...

"A successful exploit could cause the affected device to unexpectedly decapsulate the IP in IP packet and forward the inner IP packet. This may result in IP packets bypassing input access control lists (ACLs) configured on the affected device or other security boundaries defined elsewhere in the network," Cisco notes.
Click to expand...

Log in or Sign up

IP-in-IP protocol routes arbitrary traffic by default

mood Updates Team

mood Updates Team

Log in or Sign up

IP-in-IP protocol routes arbitrary traffic by default

mood Updates Team

mood Updates Team

Useful Searches