Cisco IOS XR ARP Broadcast Storm Denial of Service Vulnerability
TL;DR 📌
A denial of service (DoS) vulnerability has been identified in the ARP implementation of Cisco IOS XR Software. An unauthenticated, adjacent attacker can exploit this vulnerability by sending excessive ARP traffic to the management interface, potentially leading to degraded performance or complete unresponsiveness of the device. Cisco has released software updates to address this issue, but no workarounds are available.
What happened 🕵️♂️
A vulnerability in the Address Resolution Protocol (ARP) implementation of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to trigger a broadcast storm. This condition can overwhelm the device’s ARP processing capabilities, resulting in a denial of service (DoS). The vulnerability arises when a high volume of ARP traffic is directed at the management interface, leading to degraded performance, loss of management connectivity, and potential system unresponsiveness.
Affected products 🖥️
This vulnerability affects Cisco devices running a vulnerable release of Cisco IOS XR Software with the management interface configured with an IP address in the Up state. Specific vulnerable software releases include:
- Cisco IOS XR Software Releases 7.11 and earlier
- 24.1 (Migrate to a fixed release)
- 24.2 (24.2.21)
- 24.3 (Migrate to a fixed release)
- 24.4 (Migrate to a fixed release)
- 25.1 (25.1.2)
- 25.2 (25.2.1)
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 7.11 and earlier | Migrate to a fixed release. | |
| 24.1 | Migrate to a fixed release. | |
| 24.2 | 24.2.21 | |
| 24.3 | Migrate to a fixed release. | |
| 24.4 | Migrate to a fixed release. | |
| 25.1 | 25.1.2 | |
| 25.2 | 25.2.1 | |
| 1.0 | Initial public release. |
Workarounds 🧯
There are no workarounds that address this vulnerability. Local Packet Transport Services (LPTS) do not provide protection or rate-limiting for traffic received on Management Ethernet (MgmtEth) interfaces.
Risk in context 🎯
The highest CVSS score for this vulnerability is 7.4, which is categorized as High. The risk is primarily driven by the potential for an unauthenticated attacker to exploit the vulnerability through adjacent access, leading to a denial of service. Organizations should prioritize patching affected devices within a week to mitigate this risk.
Fast facts ⚡
- Vulnerability Type: Denial of Service (DoS)
- CVSS Score: 7.4 (High)
- Exploitability: Requires adjacent access, no authentication needed
- Impact: Degraded performance and potential unresponsiveness
- Workarounds: None available
For leadership 🧭
This vulnerability poses a High risk to our network infrastructure, with a CVSS score of 7.4. It allows unauthenticated, adjacent attackers to potentially disrupt services by overwhelming device ARP processing capabilities, leading to a denial of service. Immediate remediation is necessary, with a recommendation to patch affected devices within 7 days. The operational impact is expected to be minimal, requiring only a brief maintenance window with no anticipated configuration drift.
Now: Identify affected devices and plan for patching.
Next: Implement the necessary software updates.
Later: Monitor devices for any signs of exploitation or performance issues.
No workarounds are available, so timely action is essential to secure our network.