CVE-2022-20679

Name of the Vulnerable Software and Affected Versions Cisco IOS XE Software (affected versions not specified)

Description A vulnerability in the IPSec decryption routine could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. This issue is due to buffer exhaustion that occurs while traffic on a configured IPsec tunnel is being processed. An attacker could exploit this vulnerability by sending traffic to an affected device that has a maximum transmission unit (MTU) of 1800 bytes or greater. The attacker may need access to the trusted network where the affected device is in order to send specific packets to be processed by the device. All network devices between the attacker and the affected device must support an MTU of 1800 bytes or greater.

Recommendations To resolve the issue, update to a version of Cisco IOS XE Software that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the IPsec tunnel to minimize the risk of exploitation. Restrict the MTU size to less than 1800 bytes on all network devices between the attacker and the affected device to limit the possibility of a successful exploit. Apply the workarounds provided by Cisco that address this vulnerability.