Cisco IOS XE Software FTP Application Layer Gateway for NAT, NAT64, and ZBFW Denial of Service Vulnerability

Vulnerability

The vulnerability (CVE-2019-12655) is a buffer overflow in the FTP application layer gateway (ALG) functionality used by Network Address Translation (NAT), NAT IPv6 to IPv4 (NAT64), and the Zone-Based Policy Firewall (ZBFW) in Cisco IOS XE Software [1]. A specific FTP transfer inspected by the ALG can trigger the overflow. Affected devices are those running a vulnerable release of Cisco IOS XE Software and configured with NAT, NAT64, or ZBFW with FTP inspection enabled [1]. The bug can be triggered by transit traffic or by traffic destined to the device if ZBFW inspects FTP traffic for the self zone.

Exploitation

An unauthenticated, remote attacker can exploit the vulnerability by performing a specific FTP transfer through the affected device [1]. No authentication or special network position beyond the ability to send FTP traffic through or to the device is required. The exact sequence of FTP commands and responses triggering the buffer overflow has not been publicly detailed.

Impact

Successful exploitation causes the device to reload, resulting in a denial of service (DoS) condition [1]. The crash disrupts all traffic passing through the device until it reboots. No code execution or data disclosure is described; the impact is limited to availability.

Mitigation

Cisco has released fixed software versions; refer to the Fixed Software section of the Cisco Security Advisory for the specific release train and version [1]. As a workaround, administrators can disable FTP ALG inspection if not required, or apply access control lists to restrict FTP traffic to trusted sources. No KEV listing has been published as of the advisory date.