Cisco IOS XE Software Flexible NetFlow Version 9 Denial of Service Vulnerability

Vulnerability

The vulnerability resides in the Flexible NetFlow Version 9 packet processor of Cisco IOS XE Software on Catalyst 9800 Series Wireless Controllers. Improper validation of parameters in a Flexible NetFlow Version 9 record allows an unauthenticated remote attacker to trigger an infinite loop. Affected versions include Cisco IOS XE Software releases prior to the fixed versions listed in the advisory [1].

Exploitation

An attacker can exploit this by sending a malformed Flexible NetFlow Version 9 packet to the Control and Provisioning of Wireless Access Points (CAPWAP) data port (UDP 5246 or 5247) of an affected device. No authentication is required; the attacker only needs network access to the CAPWAP port. The malformed packet causes the processor to enter an infinite loop, leading to a process crash and device reload [1].

Impact

Successful exploitation results in a denial of service (DoS) condition due to device reload. The attacker does not gain code execution or data access; the impact is limited to service disruption. The device becomes unavailable until it completes the reload process [1].

Mitigation

Cisco has released free software updates to address this vulnerability. Fixed versions are available for Cisco IOS XE Software releases 16.12.1s and later, as specified in the advisory [1]. Customers should upgrade to a fixed release. There are no workarounds; disabling Flexible NetFlow or restricting access to CAPWAP ports via ACLs may reduce risk but is not a complete mitigation. The vulnerability is not listed on CISA's KEV as of the publication date.