#VU56839 Resource exhaustion in Cisco cBR-8 Converged Broadband and Cisco IOS XE - CVE-2021-1622

Cybersecurity Help s.r.o.

Published: 2021-09-23

Vulnerability identifier: #VU56839

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-1622

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Cisco cBR-8 Converged Broadband
Hardware solutions / Routers & switches, VoIP, GSM, etc
Cisco IOS XE
Operating systems & Components / Operating system

Vendor: Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a deadlock condition in the code when processing Common Open Policy Service (COPS) packets. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Cisco cBR-8 Converged Broadband: All versions

Cisco IOS XE: before 16.12.1z1, 17.3.1x, 16.12.1z1, 16.12.1z1

External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbr8-cops-Vc2ZsJSx

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers