1. Home
  2. CVE Database
  3. CVE-2020-3508
HIGH · 7.4

CVE-2020-3508

A vulnerability in the IP Address Resolution Protocol (ARP) feature of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers with a 20-Gbps Embedded Services Processor (ESP) ins...

Vulnerability Description

A vulnerability in the IP Address Resolution Protocol (ARP) feature of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers with a 20-Gbps Embedded Services Processor (ESP) installed could allow an unauthenticated, adjacent attacker to cause an affected device to reload, resulting in a denial of service condition. The vulnerability is due to insufficient error handling when an affected device has reached platform limitations. An attacker could exploit this vulnerability by sending a malicious series of IP ARP messages to an affected device. A successful exploit could allow the attacker to exhaust system resources, which would eventually cause the affected device to reload.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
CiscoIos Xe16.3.1
Cisco1000V-
Cisco4321 Integrated Services Router-
Cisco4331 Integrated Services Router-
Cisco4351 Integrated Services Router-
Cisco4431 Integrated Services Router-
CiscoAsr 1000-
CiscoAsr 1001-Hx-
CiscoAsr 1001-X-
CiscoAsr 1002-Hx-
CiscoAsr 1002-X-
CiscoCatalyst 3650-12X48Fd-E-
CiscoCatalyst 3650-12X48Fd-L-
CiscoCatalyst 3650-12X48Fd-S-
CiscoCatalyst 3650-24Pd-E-
CiscoCatalyst 3650-24Pd-L-
CiscoCatalyst 3650-24Pd-S-
CiscoCatalyst 3650-24Pdm-E-
CiscoCatalyst 3650-24Pdm-L-
CiscoCatalyst 3650-24Pdm-S-

Related Weaknesses (CWE)

CWE-400

References

FAQ

What is CVE-2020-3508?

CVE-2020-3508 is a vulnerability with a CVSS score of 7.4 (HIGH). A vulnerability in the IP Address Resolution Protocol (ARP) feature of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers with a 20-Gbps Embedded Services Processor (ESP) ins...

How severe is CVE-2020-3508?

CVE-2020-3508 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-3508?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Ios Xe, Cisco 1000V, Cisco 4321 Integrated Services Router, Cisco 4331 Integrated Services Router, Cisco 4351 Integrated Services Router.