CVE-2023-20027 — Vulnetix

CVE-2023-20027 PUBLISHED CVSS 8.600000381469727 HIGH

A vulnerability in the implementation of the IPv4 Virtual Fragmentation Reassembly (VFR) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper reassembly of large packets that occurs when VFR is enabled on either a tunnel interface or on a physical interface that is configured with a maximum transmission unit (MTU) greater than 4,615 bytes. An attacker could exploit this vulnerability by sending fragmented packets through a VFR-enabled interface on an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

EPSS 1.09% · 78.4th percentile

Risk Scores

CVSS 3.1

8.600000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score

1.09%

78.4th percentile

Affected Products

Vendor	Product	Versions
cisco	ios_xe	3.9.1s, 3.9.2s, 3.10.1s
Cisco	Cisco IOS XE Software	n/a

Exploit Intelligence

CIRCL seen: CVE-2023-20027 (circl-sighting)
20230322 Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability (circl)

Timeline

Mar 23, 2023 CVE Published
Mar 24, 2023 EPSS Score
May 1, 2023 EPSS Score
Jun 9, 2023 EPSS Score
Jul 3, 2023 PoC Published
Jul 17, 2023 EPSS Score
Aug 25, 2023 EPSS Score
Oct 2, 2023 EPSS Score
Nov 9, 2023 EPSS Score
Dec 18, 2023 EPSS Score
Jan 25, 2024 EPSS Score
Mar 3, 2024 EPSS Score

References

20230322 Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2023-20027 advisory

Open in Interactive Console →