CVE-2020-3220 MEDIUM

CVE-2020-3220: Cisco IOS XE Software IPsec VPN Denial of Service Vulnerability

Vendor Cisco
Product Cisco IOS XE Software 16.4.1
Weakness CWE-345
Published June 3, 2020
Last update November 15, 2024

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device. The vulnerability is due to insufficient verification of authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a man-in-the-middle.

Key dates

02Disclosure timeline

June 3, 2020 CVE published
November 15, 2024 Record updated