Cisco IOS XE Software HTTP Server Denial of Service Vulnerability

Vulnerability

A vulnerability in the HTTP server code of Cisco IOS XE Software allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The flaw is due to a logical error in the logging mechanism. Affected versions include various releases of Cisco IOS XE Software prior to the fixed versions listed in the Cisco Security Advisory [1]. An attacker can trigger the vulnerability without requiring authentication or special privileges, as long as the HTTP server is enabled on the device.

Exploitation

To exploit this vulnerability, an attacker must be able to send network traffic to the HTTP service on the targeted device. The exploitation involves generating a high number of long-lived connections to the HTTP server. The specific sequence of steps does not require user interaction or prior access to the device, making the attack straightforward from a remote network position [1].

Impact

Successful exploitation causes the HTTP server to crash, resulting in a denial of service condition. The crash impacts the availability of the HTTP service, though other device functions may continue to operate. The vulnerability does not allow for code execution, data disclosure, or privilege escalation; the impact is limited to temporary disruption of HTTP-based management and services [1].

Mitigation

Cisco has released software updates that address this vulnerability. Customers should upgrade to a fixed version of Cisco IOS XE Software as identified by the Cisco IOS Software Checker [1]. No workarounds are mentioned in the advisory; disabling the HTTP server if not required can reduce exposure. This vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.