CVE-2020-3220: Cisco IOS XE Software IPsec VPN Denial of Service Vulnerability
First published: Wed Jun 03 2020(Updated: )
A vulnerability in the hardware crypto driver of Cisco IOS XE Software for Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers could allow an unauthenticated, remote attacker to disconnect legitimate IPsec VPN sessions to an affected device. The vulnerability is due to insufficient verification of authenticity of received Encapsulating Security Payload (ESP) packets. An attacker could exploit this vulnerability by tampering with ESP cleartext values as a man-in-the-middle.
Credit: ykramarz@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cisco IOS XE | =16.4.1 | |
| Cisco IOS XE | =16.4.2 | |
| Cisco IOS XE | =16.4.3 | |
| Cisco IOS XE | =16.5.1 | |
| Cisco IOS XE | =16.5.1a | |
| Cisco IOS XE | =16.5.1b | |
| Cisco IOS XE | =16.5.2 | |
| Cisco IOS XE | =16.5.3 | |
| Cisco IOS XE | =16.6.1 | |
| Cisco IOS XE | =16.6.2 | |
| Cisco IOS XE | =16.6.3 | |
| Cisco IOS XE | =16.6.4 | |
| Cisco IOS XE | =16.6.4a | |
| Cisco IOS XE | =16.6.4s | |
| Cisco IOS XE | =16.6.5 | |
| Cisco IOS XE | =16.6.5a | |
| Cisco IOS XE | =16.6.5b | |
| Cisco IOS XE | =16.6.6 | |
| Cisco IOS XE | =16.7.1 | |
| Cisco IOS XE | =16.7.1a | |
| Cisco IOS XE | =16.7.1b | |
| Cisco IOS XE | =16.7.2 | |
| Cisco IOS XE | =16.7.3 | |
| Cisco IOS XE | =16.7.4 | |
| Cisco IOS XE | =16.8.1 | |
| Cisco IOS XE | =16.8.1a | |
| Cisco IOS XE | =16.8.1b | |
| Cisco IOS XE | =16.8.1c | |
| Cisco IOS XE | =16.8.1d | |
| Cisco IOS XE | =16.8.1e | |
| Cisco IOS XE | =16.8.1s | |
| Cisco IOS XE | =16.8.2 | |
| Cisco IOS XE | =16.8.3 | |
| Cisco IOS XE | =16.9.1 | |
| Cisco IOS XE | =16.9.1a | |
| Cisco IOS XE | =16.9.1b | |
| Cisco IOS XE | =16.9.1c | |
| Cisco IOS XE | =16.9.1d | |
| Cisco IOS XE | =16.9.1s | |
| Cisco IOS XE | =16.9.2 | |
| Cisco IOS XE | =16.9.2a | |
| Cisco IOS XE | =16.9.2s | |
| Cisco IOS XE | =16.9.3 | |
| Cisco IOS XE | =16.9.3a | |
| Cisco IOS XE | =16.9.3h | |
| Cisco IOS XE | =16.9.3s | |
| Cisco IOS XE | =16.10.1 | |
| Cisco IOS XE | =16.10.1a | |
| Cisco IOS XE | =16.10.1b | |
| Cisco IOS XE | =16.10.1c | |
| Cisco IOS XE | =16.10.1d | |
| Cisco IOS XE | =16.10.1e | |
| Cisco IOS XE | =16.10.1f | |
| Cisco IOS XE | =16.10.1g | |
| Cisco IOS XE | =16.10.1s | |
| Cisco IOS XE | =16.10.2 | |
| Cisco IOS XE | =16.11.1 | |
| Cisco IOS XE | =16.11.1a | |
| Cisco IOS XE | =16.11.1b | |
| Cisco IOS XE | =16.11.1c | |
| Cisco IOS XE | =16.11.1s | |
| Cisco IOS XE | =16.12.1 | |
| Cisco IOS XE | =16.12.1a | |
| Cisco IOS XE | =16.12.1c | |
| Cisco IOS XE | =16.12.1s | |
| Cisco IOS XE | =16.12.1t | |
| Cisco IOS XE | =16.12.1w | |
| Cisco IOS XE | =16.12.1y |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-3220?
CVE-2020-3220 has been classified as a high severity vulnerability.
How do I fix CVE-2020-3220?
To fix CVE-2020-3220, upgrade your affected Cisco IOS XE Software to a version that addresses this vulnerability.
Which devices are affected by CVE-2020-3220?
CVE-2020-3220 affects Cisco 4300 Series Integrated Services Routers and Cisco Catalyst 9800-L Wireless Controllers running specific versions of Cisco IOS XE.
What type of attack does CVE-2020-3220 allow?
CVE-2020-3220 allows an unauthenticated remote attacker to disconnect legitimate IPsec VPN sessions.
Is there any workaround for CVE-2020-3220?
There are no documented workarounds for CVE-2020-3220; updating to a patched version is recommended.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/title
- agent/weakness
- agent/author
- agent/severity
- agent/remedy
- agent/references
- agent/description
- agent/tags
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- vendor/cisco
- canonical/cisco ios xe
- version/cisco ios xe/16.4.1
- version/cisco ios xe/16.4.2
- version/cisco ios xe/16.4.3
- version/cisco ios xe/16.5.1
- version/cisco ios xe/16.5.1a
- version/cisco ios xe/16.5.1b
- version/cisco ios xe/16.5.2
- version/cisco ios xe/16.5.3
- version/cisco ios xe/16.6.1
- version/cisco ios xe/16.6.2
- version/cisco ios xe/16.6.3
- version/cisco ios xe/16.6.4
- version/cisco ios xe/16.6.4a
- version/cisco ios xe/16.6.4s
- version/cisco ios xe/16.6.5
- version/cisco ios xe/16.6.5a
- version/cisco ios xe/16.6.5b
- version/cisco ios xe/16.6.6
- version/cisco ios xe/16.7.1
- version/cisco ios xe/16.7.1a
- version/cisco ios xe/16.7.1b
- version/cisco ios xe/16.7.2
- version/cisco ios xe/16.7.3
- version/cisco ios xe/16.7.4
- version/cisco ios xe/16.8.1
- version/cisco ios xe/16.8.1a
- version/cisco ios xe/16.8.1b
- version/cisco ios xe/16.8.1c
- version/cisco ios xe/16.8.1d
- version/cisco ios xe/16.8.1e
- version/cisco ios xe/16.8.1s
- version/cisco ios xe/16.8.2
- version/cisco ios xe/16.8.3
- version/cisco ios xe/16.9.1
- version/cisco ios xe/16.9.1a
- version/cisco ios xe/16.9.1b
- version/cisco ios xe/16.9.1c
- version/cisco ios xe/16.9.1d
- version/cisco ios xe/16.9.1s
- version/cisco ios xe/16.9.2
- version/cisco ios xe/16.9.2a
- version/cisco ios xe/16.9.2s
- version/cisco ios xe/16.9.3
- version/cisco ios xe/16.9.3a
- version/cisco ios xe/16.9.3h
- version/cisco ios xe/16.9.3s
- version/cisco ios xe/16.10.1
- version/cisco ios xe/16.10.1a
- version/cisco ios xe/16.10.1b
- version/cisco ios xe/16.10.1c
- version/cisco ios xe/16.10.1d
- version/cisco ios xe/16.10.1e
- version/cisco ios xe/16.10.1f
- version/cisco ios xe/16.10.1g
- version/cisco ios xe/16.10.1s
- version/cisco ios xe/16.10.2
- version/cisco ios xe/16.11.1
- version/cisco ios xe/16.11.1a
- version/cisco ios xe/16.11.1b
- version/cisco ios xe/16.11.1c
- version/cisco ios xe/16.11.1s
- version/cisco ios xe/16.12.1
- version/cisco ios xe/16.12.1a
- version/cisco ios xe/16.12.1c
- version/cisco ios xe/16.12.1s
- version/cisco ios xe/16.12.1t
- version/cisco ios xe/16.12.1w
- version/cisco ios xe/16.12.1y