CVE-2021-1616 MEDIUM

CVE-2021-1616: Cisco IOS XE Software H.323 Application Level Gateway Bypass Vulnerability

Vendor Cisco
Product Cisco IOS XE Software
Weakness CWE-693
Published September 23, 2021
Last update November 7, 2024

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

A vulnerability in the H.323 application level gateway (ALG) used by the Network Address Translation (NAT) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass the ALG. This vulnerability is due to insufficient data validation of traffic that is traversing the ALG. An attacker could exploit this vulnerability by sending crafted traffic to a targeted device. A successful exploit could allow the attacker to bypass the ALG and open connections that should not be allowed to a remote device located behind the ALG. Note: This vulnerability has been publicly discussed as NAT Slipstreaming.

Key dates

02Disclosure timeline

September 23, 2021 CVE published
November 7, 2024 Record updated