CVE-2023-20187

Vulnerability

The vulnerability resides in the Multicast Leaf Recycle Elimination (mLRE) feature of Cisco IOS XE Software running on ASR 1000 Series Aggregation Services Routers. It stems from incorrect handling of IPv6 multicast packets when they are fanned out more than seven times on the device. Affected versions are detailed in the Cisco advisory [1].

Exploitation

An unauthenticated, remote attacker can exploit this vulnerability by sending a specific IPv6 multicast or IPv6 multicast VPN (MVPNv6) packet through the affected device. No authentication or prior access is required; the attacker only needs network reachability to the device. The packet must trigger a fan-out of more than seven copies, which the mLRE feature mishandles [1].

Impact

Successful exploitation causes the device to reload, resulting in a denial of service (DoS) condition. The attack does not lead to code execution or data compromise; the sole impact is temporary loss of network services provided by the router [1].

Mitigation

Cisco has released free software updates to address this vulnerability. Customers should upgrade to the fixed versions indicated in the Cisco Security Advisory [1]. No workarounds are available; the only mitigation is applying the patch. Devices that are no longer supported (end-of-life) should be replaced [1].