> when a tunnel interface is manually configured on the device using tunnel mode ipip and appropriate tunnel source and tunnel destination. The device is not expected to decapsulate and process any IP in IP traffic that is not destined to such a tunnel interface.<p>> This vulnerability causes an affected device to unexpectedly decapsulate and process IP in IP packets that are destined to a locally configured IP address, even when no tunnel configuration is present. Any input ACL configured on an inbound interface of the affected device is evaluated against the IP fields on the carrier IP packet prior to decapsulation; it would not be evaluated on the passenger IP packet.<p>> Under specific conditions, processing of a crafted IP in IP packet could cause the network stack process to crash on an affected device.<p>Ummmmm.... This sounds embarrasingly bad for Cisco. The crash DoS is just a cherry on top. But failing to filter tunneled packets is bit of a wtf, especially if you don't even have tunneling configured.<p>And despite this being marked as generic vuln, the gist really seem to be just squarely a Cisco implementation fault.
The cert alert seems to imply this is a general vulnerability, but really it mostly seems to be a default misconfiguration enabling IP-in-IP on a few products. I just modified the PoC and did a scan of my home network, which has a pretty broad range of random consumer gear. Nothing decapsulated the scan packets. So while there are clearly some affected products and they clearly need patching, it doesn't seem all that widespread.
Is this really a vulnerability? This is just expected behavior of IP-in-IP. I don't know of any devices that have IP-in-IP enabled by default because you need to be careful setting it up to work correctly.<p>Edit: Now I see that some devices have been found that have IP-in-IP switched on by default which is crazily stupid.
Does anyone here keep fractional packet dumps of internet backbone traffic?<p>If so, could they check those logs for IP-in-IP packets that might have been abusing this vulnerability?