CERT/CC Vulnerability Note VU#199397

Overview

Tunnelling protocols are an essential part of the Internet and form much of the backbone that modern network infrastructure relies on today. One limitation of these protocols is that they do not authenticate and/or encrypt traffic. Though this limitation exists, IPsec can be implemented to help prevent attacks. However, implementation of these protocols have been executed poorly in some areas.

For the latest security findings from the researchers at the DistriNet-KU Leuven research group, please refer to: https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf

Description

Researchers at the DistriNet-KU Leuven research group have discovered millions of vulnerable Internet systems that accept unauthenticated IPIP, GRE, 4in6, or 6in4 traffic. This can be considered a generalization of the vulnerability in VU#636397 : IP-in-IP protocol routes arbitrary traffic by default (CVE-2020-10136). The exposed systems can be abused as one-way proxies, enable an adversary to spoof the source address of packets (CWE-290 Authentication Bypass by Spoofing), or permit access to an organization's private network. Vulnerable systems can also facilitate Denial-of-Service (DoS) attacks. Two types of DoS attacks exploiting this vulnerability can amplify traffic: one concentrates traffic in time ("Tunneled-Temporal Lensing"), and the other can loop packets between vulnerable systems, resulting in an amplification factor of at least 13- and 75-fold, respectively. Additionally, the researchers discovered an Economic Denial of Sustainability (EDoS), where the outgoing bandwidth of a vulnerable system is drained, raising the cost of operations if hosted by a third-party cloud service provider.

Impact

An adversary can abuse these security vulnerabilities to create one-way proxies and spoof source IPv4/6 addresses. Vulnerable systems may also allow access to an organization's private network or be abused to perform DDoS attacks.

Solution

See the "Defences" section in the researcher's publication https://papers.mathyvanhoef.com/usenix2025-tunnels.pdf

Acknowledgements

Thanks to the researchers Mathy Vanhoef and Angelos Beitis of the DistriNet-KU Leuven research group for the initial discovery and research. This document was written by Ben Koo.

CVE-2024-7595 GRE and GRE6 Protocols (RFC2784) do not validate or verify the source of a network packet, allowing an attacker to route arbitrary traffic via an exposed network interface that can lead to spoofing, access control bypass, and other unexpected network behaviors. This can be considered similar to CVE-2020-10136.

CVE-2024-7596 Proposed Generic UDP Encapsulation (GUE) (IETF draft-ietf-intarea-gue*) does not validate or verify the source of a network packet, allowing an attacker to route arbitrary traffic via an exposed network interface that can lead to spoofing, access control bypass, and other unexpected network behaviors. This can be considered similar to CVE-2020-10136.

*Note: GUE Draft is expired and no longer canonical.

CVE-2025-23018 The IPv4-in-IPv6 and IPv6-in-IPv6 protocols (RFC2473) do not require the validation or verification of the source of a network packet, allowing an attacker to route arbitrary traffic via an exposed network interface that can lead to spoofing, access control bypass, and other unexpected network behaviors. This can be considered similar to CVE-2020-10136.

CVE-2025-23019 The IPv6-in-IPv4 protocol (RFC4213) does not require authentication of incoming packets, allowing an attacker to route traffic via an exposed network interface that can lead to spoofing, access control bypass, and other unexpected network behaviors.

Note: CVE-2024-7595, CVE-2024-7596, and CVE-2025-23018 are considered similar to CVE-2020-10136 in that they highlight the inherent weakness that these protocols do not validate or verify the source of a network packet. These distinct CVEs are meant to specify the different protocols in question that are vulnerable.

For reference: (CVE-2020-10136) Multiple products that implement the IP Encapsulation within IP (IPIP) standard (RFC 2003, STD 1) decapsulate and route IP-in-IP traffic without any validation, which could allow an unauthenticated remote attacker to route arbitrary traffic via an exposed network interface and lead to spoofing, access control bypass, and other unexpected network behaviors.

Vendor Information

199397

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Cisco Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: January 14, 2025

CVE-2020-10136

Affected

Vendor Statement:

Cisco has fixed products affected by this CVE in its default configuration and released a security advisory for it at the time of the original disclosure in 2020. Please refer to VU#636397 and to the security advisory link in the References section.

References:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Not Affected

CVE-2025-23019

Not Affected

Vendor Statement

Cisco has tested our core routing platforms. In the default state and with common tunnel configurations they were confirmed not vulnerable, aside from what was already disclosed and fixed in 2020 at the time of the original CVE-2020-10136 report (see https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4).

There are a limited set of uncommon tunnel configurations that could make devices decapsulate traffic coming from any source IP, making these issues potentially applicable. As there are situations where this may be desirable and other methods can be implemented to protect from unintentional decapsulation these are configuration in nature rather than vulnerabilities, as the devices would be performing as they are configured to in such cases.

Honeywell Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: July 01, 2024

CVE-2020-10136

Affected

CVE-2024-7595

Affected

CVE-2024-7596

Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

Juniper Networks Affected

Notified: 2024-05-28 Updated: 2025-07-16

Statement Date: July 15, 2025

CVE-2020-10136

Not Affected

CVE-2024-7595

Affected

Vendor Statement:

Junos OS is not vulnerable to this issue. This issue affects Junos OS Evolved but is not exploitable. While it does respond to unconfigured IPIPv6 tunnel requests, it does not forward the traffic. A fix for responding to unconfigured IPIPv6 tunnel requests will be implemented in a future release.

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

This issue has been published as a Juniper Security Advisory JSA100061

Marvell Semiconductor Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: December 31, 2024

CVE-2020-10136

Affected

Vendor Statement:

Marvell's components could be affected by this vulnerability.

References:

Prestera, and Teralynx product lines

CVE-2024-7595

Affected

Vendor Statement:

Marvell's components could be affected by this vulnerability.

References:

Prestera, and Teralynx product lines

CVE-2024-7596

Affected

Vendor Statement:

Marvell's components could be affected by this vulnerability. MTS, Prestera and Teralynx product lines.

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Arista Networks Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: July 10, 2024

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

Aruba Networks Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: June 04, 2024

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

Deutsche Telekom Not Affected

Notified: 2024-05-28 Updated: 2025-02-24

Statement Date: February 24, 2025

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Not Affected

CVE-2025-23019

Not Affected

Vendor Statement

We have not received a statement from the vendor.

D-Link Systems Inc. Not Affected

Notified: 2024-05-28 Updated: 2025-02-03

Statement Date: January 31, 2025

CVE-2020-10136

Not Affected

Vendor Statement:

D-Link is aware and is investigating any impact to it's devices and owners of these devices. Questions can be sent to: security @ dlink.com

CVE-2024-7595

Not Affected

Vendor Statement:

D-Link is aware and is investigating any impact to it's devices and owners of these devices. Questions can be sent to: security @ dlink.com

CVE-2024-7596

Not Affected

Vendor Statement:

D-Link is aware and is investigating any impact to it's devices and owners of these devices. Questions can be sent to: security @ dlink.com

CVE-2025-23018

Not Affected

CVE-2025-23019

Not Affected

Vendor Statement

D-Link Corporation continues to investigate it's product-line and isn't currently aware of any affected active products.

We will continue to be vigilent as the significant scope of these vulnerabilites may require addition patches if we discover or are made aware of an issue with D-Link devices.

William Brown D-Link US SIRT security@us.dlink.com

eCosCentric Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: January 14, 2025

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Not Affected

CVE-2025-23019

Not Affected

Vendor Statement

We have not received a statement from the vendor.

eero Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: June 17, 2024

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

Fastly Not Affected

Notified: 2024-05-28 Updated: 2025-01-27

Statement Date: January 24, 2025

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

Vendor Statement:

We do not use GRE and GRE6 protocols.

CVE-2024-7596

Not Affected

Vendor Statement:

We have added mitigations, such as security header validation, and should no longer be affected.

CVE-2025-23018

Not Affected

CVE-2025-23019

Not Affected

Vendor Statement

Fastly does not use GRE, GRE6, IPIP, 6in4, etc. So, if that list disclosed is complete for the researchers' methodology, Fastly is not impacted.

Illumos Not Affected

Notified: 2024-05-28 Updated: 2025-02-11

Statement Date: February 10, 2025

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

Vendor Statement:

Upstream illumos has no GRE implementation. Distributions might, but to our knowledge none do.

CVE-2024-7596

Not Affected

Vendor Statement:

Upstream illumos has no GRE implementation. Distributions might, but to our knowledge none do.

CVE-2025-23018

Not Affected

CVE-2025-23019

Not Affected

Vendor Statement

illumos and its distributions only accept IP{v4,v6}-in-IP{v4,v6} if so configured, and except for 6to4 tunnels, only between two IP endpoints. See the iptun(4D) manual page in illumos for more details, as well as the forwarding property in the ipadm(8) man page for each network interface.

We will send ICMP unreachable messages (bad protocol) in response by default, but these can be disabled.

LANCOM Systems GmbH Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: November 28, 2024

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

LiteSpeed Technologies Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: August 07, 2024

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

lwIP Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: June 21, 2024

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

Medtronic Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: July 31, 2024

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

NetBSD Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: November 27, 2024

CVE-2020-10136

Not Affected

Vendor Statement:

NetBSD's RFC 2003 implementation, the gif(4) driver, validates source and destination addresses of incoming packets. Any packets not matching a configured source/destination address pair are delivered only to programs listening on raw sockets, if any, and are not forwarded. (Similarly for NetBSD's L2TP and IPsec drivers, l2tp(4) and ipsecif(4).)

CVE-2024-7595

Not Affected

Vendor Statement:

It is possible for a privileged userland application to create a GRE tunnel that does not verify source addresses, by creating a bound but disconnected socket and configuring a gre(4) interface to use it with ioctl(GRESSOCK), but NetBSD does not ship with any such applications.

CVE-2024-7596

Not Affected

Vendor Statement:

NetBSD does not ship a GUE implementation.

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Paessler Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: January 14, 2025

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Not Affected

CVE-2025-23019

Not Affected

Vendor Statement

We have not received a statement from the vendor.

SonicWall Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: June 06, 2024

CVE-2020-10136

Not Affected

Vendor Statement:

The CVE-2020-10136 does not impact SonicWall products.

CVE-2024-7595

Unknown

CVE-2024-7596

Unknown

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Treck Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Statement Date: October 04, 2024

CVE-2020-10136

Unknown

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Unknown

CVE-2025-23019

Unknown

Vendor Statement

We have not received a statement from the vendor.

Wind River Not Affected

Notified: 2024-05-28 Updated: 2025-01-30

Statement Date: January 28, 2025

CVE-2020-10136

Not Affected

CVE-2024-7595

Not Affected

CVE-2024-7596

Not Affected

CVE-2025-23018

Not Affected

CVE-2025-23019

Not Affected

Vendor Statement

We have not received a statement from the vendor.

ZTE Corporation Not Affected

Notified: 2024-05-28 Updated: 2025-01-17

Notified: 2024-05-28 Updated: 2025-01-17

Notified: 2024-05-28 Updated: 2025-01-17

References

Other Information

CVE IDs:	CVE-2020-10136 CVE-2024-7595 CVE-2024-7596 CVE-2025-23018 CVE-2025-23019
API URL:	VINCE JSON \| CSAF
Date Public:	2025-01-17
Date First Published:	2025-01-17
Date Last Updated:	2025-07-16 15:07 UTC
Document Revision:	7

Software Engineering Institute

CERT Coordination Center

Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4)

Vulnerability Note VU#199397

Overview

Description

Impact

Solution

Acknowledgements

Vendor Information

Cisco Affected

Vendor Statement

Honeywell Affected

Vendor Statement

Juniper Networks Affected

Vendor Statement

Marvell Semiconductor Affected

Arista Networks Not Affected

Vendor Statement

Aruba Networks Not Affected

Vendor Statement

Deutsche Telekom Not Affected

Vendor Statement

D-Link Systems Inc. Not Affected

Vendor Statement

eCosCentric Not Affected

Vendor Statement

eero Not Affected

Vendor Statement

Fastly Not Affected

Vendor Statement

Illumos Not Affected

Vendor Statement

LANCOM Systems GmbH Not Affected

Vendor Statement

LiteSpeed Technologies Not Affected

Vendor Statement

lwIP Not Affected

Vendor Statement

Medtronic Not Affected

Vendor Statement

NetBSD Not Affected

Paessler Not Affected

Vendor Statement

SonicWall Not Affected

Treck Not Affected

Vendor Statement

Wind River Not Affected

Vendor Statement

ZTE Corporation Not Affected

Vendor Statement

A10 Networks Unknown

Vendor Statement

ACCESS Unknown

Vendor Statement

Actelis Networks Unknown

Vendor Statement

Actiontec Unknown

Vendor Statement

ADATA Unknown

Vendor Statement

ADTRAN Unknown

Vendor Statement

Advantech B-B Technology Unknown

Vendor Statement

Advantech Czech Unknown

Vendor Statement

Advantech Taiwan Unknown

Vendor Statement

Aerohive Unknown

Vendor Statement

AhnLab Inc Unknown

Vendor Statement

AirWatch Unknown

Vendor Statement

Akamai Technologies Inc. Unknown

Vendor Statement

Alcatel-Lucent Enterprise Unknown

Vendor Statement

Allied Telesis Unknown