Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2020-10136: IP-in-IP Packet Processing Vulnerability Could Lead to DDoS, Network Access Bypass and Information Disclosure

IP-in-IP packet processing, a protocol used for tunneling by numerous vendors, contains a vulnerability that may lead to DDoS, information leakage and bypass of network access controls.

Background

On June 2, the CERT Coordination Center (CERT/CC) released vulnerability note VU#636397 detailing an unauthenticated vulnerability in the IP encapsulation within IP (IP-in-IP) protocol. The original disclosure is credited to Yannay Livneh, a cybersecurity researcher on the Enigmatos team.

How IP-in-IP protocols work

The IP-in-IP protocol, outlined in RFC2003, provides a mechanism to encapsulate one IP datagram within another IP datagram for tunneling, which allows for communication between two IP networks that do not have a native routing path. This process includes both an inner and outer IP header. The inner header, which contains the original Source Address of the sender and Destination Address of the recipient, remains unchanged throughout the journey with the exception of a decremented time to live (TTL). The outer IP header identifies the endpoints of the tunnel using the Source Address and the Destination Address. These encapsulated datagrams are decapsulated at an intermediate destination node to reveal the original IP datagram before being sent to the Destination Address highlighted in the inner IP header. The use of IP-in-IP encapsulation can be identified in packets that have an IP protocol header value of 4.

Analysis

CVE-2020-10136 is an IP-in-IP processing vulnerability that could allow an unauthenticated attacker to route traffic through exposed interfaces on vulnerable devices, which may result in a reflected distributed denial of service (DDoS), information leakage and the bypass of network access controls (NACs). The vulnerability exists due to an unexpected Data Processing Error, which may result in vulnerable devices not correctly inspecting and verifying forwarded packets that could have originated from a malicious source or been intended for a malicious destination. Yannay’s original disclosure included two scenarios in which his code could be used to exploit this vulnerability:

Scenario 1: Spoof Mode

In spoof mode, an attacker would send a crafted malicious IP-in-IP packet to VULNERABLE_MACHINE_IP, which would then replay a packet to a VICTIM_IP. As the VULNERABLE_MACHINE_IP is a valid trusted source, the packet would not be blocked by any anti-spoofing countermeasures. A scenario like this allows for packets to be sent en masse, demonstrating how a DDoS attack could be achieved.

Image Source: CERT/CC GitHub Repository

Scenario 2: Bypass Mode

In bypass mode, an attacker would send a crafted malicious IP-in-IP packet to a VULNERABLE_MACHINE_IP, which would decapsulate the packet and forward the inner IP packet to the VICTIM_IP with the source IP address of the DATA_COLLECT_IP. The attacker can use the VULNERABLE_MACHINE_IP as a forwarding point to gather information from the DATA_COLLECT_IP by having the VICTIM_IP send queries for enabled protocols, such as SNMP to DATA_COLLECT_IP.

Image Source: CERT/CC GitHub Repository

Proof of concept

The original proof of concept (PoC) created by Livneh has been added to the CERT/CC GitHub repository.

Solution

At the time this blog was published, CERT/CC has confirmed that the following four vendors are affected by this vulnerability:

  • Hewlett Packard Enterprise
  • Digi International
  • Treck
  • Cisco

Cisco released an advisory for CVE-2020-10136 on June 1 for NX-OS Software. A comprehensive list of affected vendors and their impacted product/versions can be found on the CERT/CC advisory with their respective statements. This list will continue to be updated by CERT/CC as the vendors respond. We recommend that the latest patches are applied to affected products as highlighted by the individual vendors’ responses.

If circumstances do not allow for the application of the advised patches, CERT/CC recommends that users disable IP-in-IP on any devices and interfaces where it is not required. If IP-in-IP must be enabled, packets using IP protocol 4 should be filtered. This does not mean filtering for IPv4 packets, but rather packets with an IP protocol header value of 4.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training