CVE-2022-20915 An IPv6 vulnerability in 6VPE with ZBFW could cause a DoS attack.

The device on which this vulnerability is exploited requires an enabled MPLS and ZBFW-enabled interface. Cisco IOS XE Software supports up to 4 instances of an MPLS and ZBFW-enabled interface. The Cisco IOS Software documentation recommends configuring an MPLS and ZBFW-enabled interface with a minimum of 2 instances. Cisco IOS XE Software supports up to 4 instances of an MPLS and ZBFW-enabled interface. The Cisco IOS Software documentation recommends configuring an MPLS and ZBFW-enabled interface with a minimum of 2 instances. Cisco devices support up to 4 instances of an MPLS and ZBFW-enabled interface. However, in a 6VPE deployment, Cisco devices support up to 20 instances of an IPv6 unicast routing-instance. If a 6VPE device has a VRF with multiple MPLS and ZBFW-enabled interfaces, the number of instances of these interfaces needs to be chosen carefully to ensure that there are at least 2 instances. The Cisco IOS XE Software IPv6 default route does not permit any destinations to be reached from the IPv6 unicast routing-instance. An attacker could exploit this vulnerability by sending a crafted IPv6 packet sourced from a device on the IPv6-enabled VRF interface to a device on the IPv6-enabled MPLS and ZBFW-enabled interface. A successful exploit could allow the attacker to reload the device, resulting in a DoS condition

Vulnerability Scoring

CVE-2022-20915 is scored as a Medium severity vulnerability with a CVSS base score of 6.2 and 3.0 hardware CVSS vector.

Solution :

To mitigate this vulnerability, disable IPv6 on the MPLS and ZBFW-enabled interface.

Cisco devices support up to 20 instances of an IPv6 unicast routing-instance

A successful exploit could allow the attacker to reload the device, resulting in a DoS condition.
If an affected device is on a 6VPE deployment and has multiple MPLS and ZBFW-enabled interfaces, the number of instances of these interfaces needs to be chosen carefully to ensure that there are at least 2 instances.

Potential Benefits of CVE-2022-20915

If you have a 6VPE deployment with a VRF, then this vulnerability is not likely to affect your network. However, if you have a 6VPE deployment without a VRF, then the handling of IPv6 packets from the IPv6 unicast routing-instance to the MPLS and ZBFW-enabled interface could be exploited. The vulnerability could be exploited in order to cause a DoS condition on the Cisco device.

Products Affected by CVE-2022-20915

Cisco IOS XE Software is affected by this vulnerability.

Timeline

Published on: 10/10/2022 21:15:00 UTC
Last modified on: 10/13/2022 19:57:00 UTC

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-6vpe-dos-tJBtf5Zv
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20915