Cisco released security advisory to address a vulnerability in Cisco NX-OS Software. The vulnerability could cause an affected device to unexpectedly decapsulate and process IP-in-IP packets that are destined to a locally configured IP address, even when no tunnel configuration is present. An unauthenticated attacker could exploit the vulnerability by sending specially crafted IP-in-IP packets to an affected device.
The proof-of-concept but fully workable exploit code against the vulnerability (CVE-2020-10136) has been publicly available on the Internet. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.
The following Cisco products running Cisco NX-OS Software
For detailed information of the affected products, please refer to the section "Affected Products" of corresponding security advisory at vendor's website.
A successful exploitation could lead to security bypass or denial of service on an affected system.
Software updates for affected systems are now available. System administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the available patches, please refer to the section "Fixed Software" of corresponding security advisory at vendor's website.
System administrators should contact their product support vendors for the fixes and assistance.
System administrators should also follow the security best practices to block IP-in-IP packets by filtering IP protocol number 4 if the feature is not required.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4
https://kb.cert.org/vuls/id/636397
https://www.hkcert.org/my_url/en/alert/20060303
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10136