Cisco SD-WAN vEdge Routers Denial of Service Vulnerability

Vulnerability

The vulnerability (CVE-2020-3385) exists in the deep packet inspection (DPI) engine of Cisco SD-WAN vEdge Routers. The defect is caused by insufficient handling of malformed packets by the DPI engine. An attacker can exploit this by sending specifically crafted packets through an affected device. The advisory [1] does not list specific software versions, but customers are advised to upgrade to fixed releases as per Cisco's guidance.

Exploitation

To exploit this vulnerability, an attacker must be an unauthenticated, adjacent attacker — meaning they must have network access to the same Layer 2 domain as the affected vEdge Router. No authentication is required. The attacker can send a series of crafted packets through the device's DPI engine; the engine's failure to properly handle malformed packets will trigger a device reboot.

Impact

A successful exploit causes the affected Cisco SD-WAN vEdge Router to reboot, leading to a denial of service (DoS) condition. This disrupts network services and traffic forwarding, affecting the availability of the device. No data confidentiality or integrity impact is described.

Mitigation

Cisco has released free software updates to address this vulnerability [1]. Customers with a service contract should upgrade to the fixed software version. Those without a service contract should contact the Cisco TAC for a free upgrade [1]. No workarounds are mentioned in the available references.