SB2021032513 - Denial of service in Cisco IOS XE Software Web UI

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2021-1220)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the web UI of Cisco IOS XE Software. A remote authenticated user can send specially crafted HTTP request to the web UI and cause the web management software to hang and consume all available vty lines, preventing new session establishment.

2) Resource exhaustion (CVE-ID: CVE-2021-1356)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the web UI of Cisco IOS XE Software. A remote authenticated user can send specially crafted  HTTP requests to the web UI and cause the web management software to hang and consume all available vty lines, preventing new session establishment.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xe-webui-dos-z9yqYQAn
• https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu99729
• https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu94117