Cisco IOS XE Software IPsec VPN Denial of Service Vulnerability

Vulnerability

A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers allows an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions. The flaw is due to insufficient verification of the authenticity of received Encapsulating Security Payload (ESP) packets. Affected versions include Cisco IOS XE Software releases prior to the first fixed releases identified by the Cisco Software Checker [1].

Exploitation

An attacker with man-in-the-middle network position can tamper with ESP cleartext values in IPsec VPN traffic. No authentication or prior access to the VPN session is required. The attacker simply intercepts and modifies ESP packets between the VPN peer and the affected device, causing the device to drop the session [1].

Impact

Successful exploitation results in a denial of service (DoS) condition: legitimate IPsec VPN sessions are disconnected. This disrupts remote access or site-to-site VPN connectivity, impacting availability of the network. The attacker does not gain access to encrypted payloads or elevate privileges [1].

Mitigation

Cisco released software updates to fix this vulnerability. The first fixed releases are available via the Cisco Software Checker tool [1]. Customers should upgrade to the indicated fixed versions. No workarounds are available; upgrading is the only mitigation. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.