Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

IP-in-IP Vulnerability Affects Devices From Cisco and Others

A vulnerability related to the IP-in-IP tunneling protocol that can be exploited for denial-of-service (DoS) attacks and to bypass security controls has been found to impact devices from Cisco and other vendors.

A vulnerability related to the IP-in-IP tunneling protocol that can be exploited for denial-of-service (DoS) attacks and to bypass security controls has been found to impact devices from Cisco and other vendors.

“An unauthenticated attacker can route network traffic through a vulnerable device, which may lead to reflective DDoS, information leak and bypass of network access controls,” the CERT Coordination Center (CERT/CC) said in an advisory published on Tuesday.

Cisco has released security updates to address the vulnerability in its NX-OS software. Tracked as CVE-2020-10136 and featuring a CVSS score of 8.6, the security flaw was identified in the network stack of the software and it can be exploited by a remote attacker, without authentication.

An attacker able to successfully exploit the issue could bypass certain security boundaries or cause a DoS condition, the company warns.

“The vulnerability is due to the affected device unexpectedly decapsulating and processing IP in IP packets that are destined to a locally configured IP address. An attacker could exploit this vulnerability by sending a crafted IP in IP packet to an affected device,” Cisco explains in an advisory.

An attacker could cause the impacted device to decapsulate the IP-in-IP packet and then forward the inner IP packet, thus causing IP packets to bypass input access control lists (ACLs) on the device or other security boundaries on the network.

“Under certain conditions, an exploit could cause the network stack process to crash and restart multiple times, leading to a reload of the affected device and a DoS condition,” Cisco also explains.

The issue can be triggered by IP-in-IP traffic destined to the affected device, and not by traffic that only transits an affected device. Moreover, it requires for both the carrier and the passenger datagrams in the IP in IP packets to be IPv4, and cannot be triggered if IPv6 datagrams are present. Other tunneling protocol cannot trigger the issue either.

According to the company, the vulnerability impacts the following Nexus switches: 1000 Virtual Edge for VMware vSphere (CSCvu10050), 1000V for Microsoft Hyper-V (CSCvt67738) and VMware vSphere (CSCvt67738), a limited set of 3000 Series (CSCun53663) and 9000 Series in standalone NX-OS mode (CSCun53663), 5500 (CSCvt67739) and 5600 Platform Switches (CSCvt67739), 6000 (CSCvt67739) and 7000 (CSCvt66624) Series, and UCS 6200 (CSCvu03158) and UCS 6300 (CSCvt67740) Series Fabric Interconnects.

Cisco also explains that even devices that do not have an IP in IP tunnel interface configured are affected. UCS Fabric Interconnects, on the other hand, are impacted only when NetFlow monitoring is enabled and “a flow exporter profile is configured with a source IP address set for the exporter interface.”

Firepower 1000 Series, Firepower 2100 Series, Firepower 4100 Series, Firepower 9300 Security Appliances, MDS 9000 Series Multilayer Switches, Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode, and UCS 6400 Series Fabric Interconnects are not affected.

Cisco has released software updates to address the issue and also detailed workaround steps customers can take to mitigate the vulnerability. The company says it is not aware of the vulnerability being exploited in attacks.

CERT/CC reveals that products from Digi International, Hewlett Packard Enterprise, and Treck are also affected. Digi International addressed the bug with the release of SAROS VERSION (Bootloader 7.67) on 23 April 2020, while Treck fixed it in release

A proof-of-concept (PoC) exploiting the vulnerability was made public in the CERT/CC PoC repository.

Related: Cisco Servers Hacked via Salt Vulnerabilities

Related: Cisco Patches Critical Vulnerability in Contact Center Software

Related: Cisco Patches High Severity Vulnerabilities in Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.