Cisco IOS XE Software for Catalyst Switches MPLS Denial of Service Vulnerability

Vulnerability

A vulnerability in the egress MPLS packet processing function of Cisco IOS XE Software for Cisco Catalyst 3650, Catalyst 3850, and Catalyst 9000 Family Switches allows an unauthenticated, remote attacker to cause an affected device to reload unexpectedly. The issue is due to insufficient input validation of IPv4 traffic when processed by an MPLS-enabled interface. Affected versions include all releases of Cisco IOS XE Software on the specified platforms that support MPLS [1].

Exploitation

An attacker can exploit this vulnerability by sending a malformed IPv4 packet out of an affected MPLS-enabled interface. No authentication is required, and the attacker can be remote. The malformed packet triggers the insufficient input validation, leading to a device reload [1].

Impact

Successful exploitation causes the affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. The attacker gains no code execution or data access, but service disruption can impact network operations [1].

Mitigation

Cisco has released free software updates to address this vulnerability. Customers should upgrade to the latest fixed version as indicated in the Cisco Security Advisory [1]. No workaround is available. Customers with service contracts should obtain updates through their usual channels; those without should contact Cisco TAC [1].