CVE-2020-3220Insufficient Verification of Data Authenticity in Cisco IOS XE Software 16.4.1

CWE-345Insufficient Verification of Data Authenticity4 documents4 sources
Severity
6.8MEDIUMNVD
EPSS
0.4%
top 38.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cisco IOS XE Software 16.4.1Cisco IOS XE
Timeline
PublishedJun 3
Latest updateMay 24

Description

A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device. The vulnerability is due to insufficient verification of authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 2.2 | Impact: 4.0

Affected Packages2 packages

NVDcisco/ios_xe68 versions+67

Patches

Patch: tools.cisco.comPatch: tools.cisco.com

🔴Vulnerability Details

2
GHSA
GHSA-rgv9-38w5-x798: A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wir2022-05-24
CVEList
Cisco IOS XE Software IPsec VPN Denial of Service Vulnerability2020-06-03

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software IPsec VPN Denial of Service Vulnerability2020-06-03
CVE-2020-3220 — Cisco vulnerability | cvebase