Cisco IOS XR Software Enf Broker Denial of Service Vulnerability
cisco-sa-iosxr-dos-WwDdghs2 · High · Published · Updated
Multiple vulnerabilities in the ingress packet processing function of Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dos-WwDdghs2
Because CVE-2021-1313 can be exploited when processing a stream of either Telnet or ICMP protocol packets, the following steps for mitigation should be implemented together to ensure protection against the two attack vectors:
Disable the Telnet protocol for incoming connections.
Implement an access control entry (ACE) to an existing interface ACL or create a new ACL that denies ICMP traffic that is inbound to a specific interface. The following input is an example of how to create an IPv4 ACL and deny ICMP traffic:
P/0/0/CPU0:router(config)# ipv4 access-list deny icmp any any
While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness on their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network, based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating their applicability to their own environment and any impact to such environment.