Cisco Extends Patch for IPv6 DoS Vulnerability

cisco ipv6 dos bug

The bug was first found in 2016.

Cisco has extended its patch for a high-severity IPv6 denial-of-service (DoS) vulnerability that was first addressed in 2016.

The bug (CVE-2016-1409) is a vulnerability in the IPv6 packet processing functions of multiple Cisco products, which could allow an unauthenticated, remote attacker to cause an affected device to stop processing IPv6 traffic, leading to a denial of service (DoS) condition on the device.

An attacker could exploit the vulnerability by sending crafted IPv6 Neighbor Discovery (ND) packets to an affected device for processing. A successful exploit could allow the attacker to cause the device to stop processing IPv6 traffic, leading to a DoS condition on the device.

Cisco IOS XR Software, Cisco IOS Software, Cisco IOS XE Software, Cisco NX-OS Software, Cisco ASA Software and Cisco StarOS Software are affected by the flaw, as are all types of line cards on those platforms.

That said, the vulnerability is not Cisco specific: This issue is a result of vendor misconfiguration, and any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by it. Older versions of various Huawei gear and Juniper Junos are also affected, for instance.

Threatpost has reached out to Cisco for more information on what the update specifically addresses, and will update this post accordingly.

It’s only the most recent patch for Cisco, which in August warned of six critical vulnerabilities impacting a wide range of its products, including its Unified Computing System server line and its small business 220 Series Smart switches. In all instances of the vulnerabilities, a remote unauthenticated attacker could take over targeted hardware.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles

Discussion

  • Dr.Lal on

    Configuring static IPv6 neighbors wherever possible and denying all IPv6 ND packets at the edge will help mitigate this vulnerability.
  • Umar Shelleng on

    I am really not following fully. But is informative and educational.
  • Judy on

    I have traced the issue since 2016. But I still can not find any "patch" for Cisco IOS.... On Cisco website, there are only suggested ACL configurations, still no new IOS for this issue.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.