Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability

A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device.

The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j

Security Impact Rating: Medium

CVE: CVE-2021-1389

Related:

  • No Related Posts

Cisco Small Business Smart and Managed Switches Denial of Service Vulnerability

A vulnerability in the IPv6 packet processing engine of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet through an affected device. A successful exploit could allow the attacker to cause an unexpected reboot of the switch, leading to a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability for devices that have not reached the end of software maintenance. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbss-ipv6-dos-3bLk6vA

Security Impact Rating: High

CVE: CVE-2020-3363

Related:

  • No Related Posts

Cisco StarOS IPv6 Denial of Service Vulnerability

A vulnerability in the IPv6 implementation of Cisco StarOS could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

The vulnerability is due to insufficient validation of incoming IPv6 traffic. An attacker could exploit this vulnerability by sending a crafted IPv6 packet to an affected device with the goal of reaching the vulnerable section of the input buffer. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

This vulnerability is specific to IPv6 traffic. IPv4 traffic is not affected.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asr5k-ipv6-dos-ce3zhF8m

Security Impact Rating: Medium

CVE: CVE-2020-3500

Related:

  • No Related Posts

SMG 10.6.3-2 IPv6 prefix length

I need a solution

Hello,

I’ve a SMG 10.6.3.-2 and want to configure IPv6.

The problem is, that the web-interface only allows /64 prefix for IPv6 address, but I’ve to use a /112 prefix.

Is there any possibility to configure the 112 prefix?

Thanks,
Martin

0

Related:

QRadar assumes event with no IPv4 address are from the console IP address

I am using the DSM editor to create a new log source type that does not contain IPv4 addresses in the events, but do include valid IPv6 addresses. The addresses are being parsed correctly into the IPv6 Source and IPv6 Destination properties. However in the DSM editor, the source IP and destination IP addresses remain 127.0.0.1 and in the events processed by the DSM the IPs are changed to the IP of the console. How can I stop this behavior and include only the correct IPv6 addresses in the event?

Related:

Using DNS name in syslog “log source” device configuration?

Anybody able to share experience using DNS names in the configuration of log sources? We’ve always used IP address in router and Linux configs, but that makes moving things around later a real pain with around 50,000 devices in the environment (about 10% Cisco, 20% Linux, etc).

For example, have you encountered many devices which do not accept a DNS name, will only take an IP address? I know some appliances (e.g. older network devices) only want an IPv4 address, or may not be configured to resolve DNS, or immediately convert the name to an IP and save the IP in the startup configuration.

Anything else to be concerned with? Our internal DNS is very reliable, so I am not concerned about name resolution failure.

Related: