Metrics
No CVSS v4.0
Attack Vector Network
Attack Complexity Low
Privileges Required None
Scope Unchanged
Confidentiality Impact None
Integrity Impact None
Availability Impact Low
User Interaction None
No CVSS v3.0
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial
This CVE is not in the KEV list.
The EPSS score is 0.19963.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Cisco |
|
Digi |
|
Hp |
|
Treck |
|
Configuration 1 [-]
AND |
|
Configuration 2 [-]
AND |
|
Configuration 3 [-]
AND |
|
Configuration 4 [-]
AND |
|
Configuration 5 [-]
AND |
|
Configuration 6 [-]
AND |
|
Configuration 7 [-]
|
Configuration 8 [-]
AND |
|
Configuration 9 [-]
|
Configuration 10 [-]
|
No data.
No data.
Solution
Customers should apply the latest patch provided by the affected vendor that addresses this issue and prevents unspecified IP-in-IP packets from being processed. Devices manufacturers are urged to disable IP-in-IP in their default configuration and require their customers to explicitly configure IP-in-IP as and when needed.
Workaround
Users can block IP-in-IP packets by filtering IP protocol number 4. Note this filtering is for the IPv4 Protocol (or IPv6 Next Header) field value of 4 and not IP protocol version 4 (IPv4).
No history.

Status: PUBLISHED
Assigner: certcc
Published:
Updated: 2024-09-17T00:56:11.850Z
Reserved: 2020-03-05T00:00:00
Link: CVE-2020-10136

No data.

Status : Modified
Published: 2020-06-02T09:15:09.967
Modified: 2024-11-21T04:54:53.377
Link: CVE-2020-10136


No data.