Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1842
Views
0
Helpful
2
Replies

CSCvv75175 - Cisco IOS and IOS XE Software ARP Resource Management Exhaustion DoS Vulnerability

naudruipers
Level 1
Level 1

‎07-23-2021 08:44 AM

Is it possible to mitigate this CVE by using ip arp inspection limit as a temporarily workaround. Besides ARP is a L2 protocol. How does a remote attacker can exploit this CVE. I guess the exploit can only be executed from local Lan and only has impact to the local LAN

1 person had this problem
0 Helpful
2 Replies 2

twylyghtcisco
Level 1
Level 1

‎10-19-2021 10:32 AM

I was wondering this as well.  Additionally, if we're running ISE to lock down our access ports via dACLs, how would this ARP exhaustion be implemented?

 

In reviewing the literature, I see no source of how this originates.  It's just some nebulous reference to ARP mismanagement leaving this service vulnerable to exploit.  Does this require remote or chassis level access?

0 Helpful

michaelronayne
Level 1
Level 1

‎06-29-2022 02:28 AM

IP ARP inspection will not help you here.

The issue here is that the router's capacity to generate ARP requests for packets that it needs to forward but for which it does not already have an adjacency / ARP entry, is severely limited.

 

A potential DoS exploiting this vulnerability is possible by sending IP packets to a large number of different IP destinations that are directly connected to the target router, at a moderately sustained packet rate.

Successful exploitation would require the attacker to have some knowledge of the IP ranges that are directly connected to the target device but clearly IS possible from a location remote to the target.

 

 

0 Helpful
Customers Also Viewed These Support Documents