CVE-2023-20226

Vulnerability

A vulnerability in the Application Quality of Experience (AppQoE) and Unified Threat Defense (UTD) applications of Cisco IOS XE Software allows an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. The issue stems from improper handling of a crafted packet stream through the AppQoE or UTD application. Affected versions include various Cisco IOS XE releases with AppQoE or UTD enabled; specific version details are provided in the Cisco Security Advisory [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted packet stream through an affected device. No authentication is required, and the attacker only needs network access to the device. The crafted packets are processed by the AppQoE or UTD application, triggering the mishandling that leads to device reload [1].

Impact

Successful exploitation allows the attacker to cause the device to reload, resulting in a denial of service condition. This impacts availability but does not compromise confidentiality or integrity of data [1].

Mitigation

Cisco has released free software updates that address this vulnerability. Customers with service contracts should obtain fixed software through their usual update channels. As a workaround, administrators may consider disabling AppQoE or UTD if not required. The Cisco Security Advisory provides detailed information on fixed releases and upgrade guidance [1].