Cisco IOS XE Software Network-Based Application Recognition Denial of Service Vulnerability

🚨 SEVERITY: HIGH — CVSS 8.6 Security Advisory

TL;DR 📌

A high-severity vulnerability has been identified in the Network-Based Application Recognition (NBAR) feature of Cisco IOS XE Software. This flaw could allow unauthenticated remote attackers to cause affected devices to reload, resulting in a denial of service (DoS) condition. Cisco has released fixed software, but there are no workarounds available.

What happened 🕵️‍♂️

A vulnerability in the NBAR feature of Cisco IOS XE Software allows unauthenticated, remote attackers to exploit improperly handled malformed Control and Provisioning of Wireless Access Points (CAPWAP) packets. By sending these malformed packets, an attacker can cause the affected device to unexpectedly reload, leading to a denial of service (DoS).

Affected products 🖥️

The following Cisco products are affected if they are running a vulnerable release of Cisco IOS XE Software with the NBAR for CAPWAP feature enabled:

  • 1100 Integrated Services Routers
  • 4000 Series Integrated Services Routers
  • ASR 920 Series Aggregation Services Routers
  • ASR 1000 Series Aggregation Services Routers
  • Catalyst 1101 Rugged Routers
  • Catalyst 8000V Edge Software
  • Catalyst 8200 Series Edge Platforms
  • Catalyst 8300 Series Edge Platforms
  • Catalyst 8500 Edge Platforms
  • Catalyst 8500L Edge Platforms
  • Catalyst IR8300 Rugged Series Routers

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
1.0 Initial public release.
Cisco IOS and IOS XE Software Not specified

Workarounds 🧯

There are no workarounds that fully address this vulnerability. However, as a temporary mitigation, customers can disable CAPWAP inspection for NBAR using the command no ip nbar classification tunneled-traffic capwap. It is important to evaluate the impact of this mitigation in your specific environment before implementation.

Risk in context 🎯

The vulnerability has a CVSS score of 8.6, categorizing it as High severity. The risk is heightened as it allows unauthenticated access and can lead to a complete loss of availability for affected devices. Given that there are no effective workarounds, immediate action is recommended to mitigate potential exploitation.

Fast facts ⚡

  • Vulnerability: Cisco IOS XE Software NBAR Denial of Service
  • CVSS Score: 8.6 (High)
  • Impact: Device reload, Denial of Service
  • Exploitation: Requires sending malformed CAPWAP packets
  • Workarounds: None effective; temporary mitigation available

For leadership 🧭

This vulnerability presents a High risk (CVSS 8.6) due to its potential for unauthenticated exploitation, leading to service outages. The exposure is significant as it affects internet-facing devices and can result in complete unavailability. Immediate remediation is required, with a recommendation to patch within 7 days using the fixed software provided by Cisco.

  • Now: Assess affected devices and plan for immediate software upgrades.
  • Next: Implement the temporary mitigation if immediate patching is not feasible.
  • Later: Review network configurations to ensure compliance with security best practices.

The operational impact of applying the patch is expected to be minimal, requiring a brief maintenance window with no anticipated configuration drift.