Cisco IOS XE Software TLS Memory Exhaustion Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the TLS library of Cisco IOS XE Software. This issue allows an unauthenticated, adjacent attacker to exhaust the available memory on an affected device, leading to an unexpected reload and service disruption. The vulnerability arises from improper memory management during TLS connection setup. Exploitation can occur by repeatedly triggering conditions that cause memory usage to increase, such as through local EAP authentication or by resetting TLS connections in a machine-in-the-middle attack.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by exhausting the device's available memory, resulting in an unexpected reload.

Remediation

Cisco has released software updates to address this vulnerability. To determine the appropriate update, users can consult the Cisco Software Checker tool, which identifies security advisories impacting specific Cisco IOS and IOS XE software releases. Instructions for using the Cisco Software Checker are available on the Cisco Security Advisories page.