Guest

Preview Tool

Cisco Bug: CSCvu04413 - Cisco IOS XE Software for Cisco ASR 1000 Series ESP-20 IP ARP DoS Vulnerability

Last Modified

Oct 14, 2020

Products (5)

  • Cisco 2600 Series Multiservice Platforms
  • Cisco 1000 Series Integrated Services Routers
  • Cisco 4000 Series Integrated Services Routers
  • Cisco ASR 1000 Series Aggregation Services Routers
  • Cisco Cloud Services Router 1000V Series

Known Affected Releases

16.9.1 17.4.1

Description (partial)

Symptom:
A vulnerability in the IP Address Resolution Protocol (ARP) feature of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers with a 20-Gbps Embedded Services Processor (ESP) installed could allow an unauthenticated, adjacent attacker to cause an affected device to reload, resulting in a denial of service condition.

The vulnerability is due to insufficient error handling when an affected device has reached platform limitations. An attacker could exploit this vulnerability by sending a malicious series of IP ARP messages to an affected device. A successful exploit could allow the attacker to exhaust system resources, which would eventually cause the affected device to reload.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esp20-arp-dos-GvHVggqJ

Conditions:
For information on fixed versions of software consult the Cisco IOS Software checker:
https://tools.cisco.com/security/center/softwarechecker.x 

See Vulnerable Products Section of the advisory for full details:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esp20-arp-dos-GvHVggqJ#vp
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.