> when a tunnel interface is manually configured on the device using tunnel mode ipip and appropriate tunnel source and tunnel destination. The device is not expected to decapsulate and process any IP in IP traffic that is not destined to such a tunnel interface.
> This vulnerability causes an affected device to unexpectedly decapsulate and process IP in IP packets that are destined to a locally configured IP address, even when no tunnel configuration is present. Any input ACL configured on an inbound interface of the affected device is evaluated against the IP fields on the carrier IP packet prior to decapsulation; it would not be evaluated on the passenger IP packet.
> Under specific conditions, processing of a crafted IP in IP packet could cause the network stack process to crash on an affected device.
Ummmmm.... This sounds embarrasingly bad for Cisco. The crash DoS is just a cherry on top. But failing to filter tunneled packets is bit of a wtf, especially if you don't even have tunneling configured.
And despite this being marked as generic vuln, the gist really seem to be just squarely a Cisco implementation fault.
The printers get it from treck (HP OfficeJet and LaserJet use it), which probably means that other clients of this TCP/IP stack will be vulnerable as well. Although I can't figure out why this feature should be "on-by-default" in treck, as most clients probably don't need it activated.
If it were off the UI designers would have to add it to the configuration system of the printer for that 0.1% of (corporate VIP) users who need it. That's something that seems to be a big ask for printer manufacturers. Even something like a SNMP MIB you can write to is a bridge too far.
The cert alert seems to imply this is a general vulnerability, but really it mostly seems to be a default misconfiguration enabling IP-in-IP on a few products. I just modified the PoC and did a scan of my home network, which has a pretty broad range of random consumer gear. Nothing decapsulated the scan packets. So while there are clearly some affected products and they clearly need patching, it doesn't seem all that widespread.
Is this really a vulnerability? This is just expected behavior of IP-in-IP. I don't know of any devices that have IP-in-IP enabled by default because you need to be careful setting it up to work correctly.
Edit: Now I see that some devices have been found that have IP-in-IP switched on by default which is crazily stupid.
> This vulnerability causes an affected device to unexpectedly decapsulate and process IP in IP packets that are destined to a locally configured IP address, even when no tunnel configuration is present. Any input ACL configured on an inbound interface of the affected device is evaluated against the IP fields on the carrier IP packet prior to decapsulation; it would not be evaluated on the passenger IP packet.
> Under specific conditions, processing of a crafted IP in IP packet could cause the network stack process to crash on an affected device.
Ummmmm.... This sounds embarrasingly bad for Cisco. The crash DoS is just a cherry on top. But failing to filter tunneled packets is bit of a wtf, especially if you don't even have tunneling configured.
And despite this being marked as generic vuln, the gist really seem to be just squarely a Cisco implementation fault.