CVE-2022-20623
Published: 23 February 2022
Summary
CVE-2022-20623 is a high-severity an unspecified weakness vulnerability in Cisco Nx-Os. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability exists in the rate limiter for Bidirectional Forwarding Detection (BFD) traffic within Cisco NX-OS Software on Nexus 9000 Series Switches. The issue stems from a logic error in the BFD rate limiter that affects both IPv4 and IPv6 traffic, allowing specially crafted packets to bypass intended controls and cause legitimate BFD frames to be dropped.
An unauthenticated remote attacker can exploit the flaw by sending a crafted traffic stream through an affected device. Successful exploitation results in repeated BFD session flaps, which in turn trigger route instability and traffic loss, producing a denial-of-service condition. The vulnerability carries a CVSS 3.1 score of 8.6, reflecting network attack vector, low complexity, and high availability impact with no required privileges or user interaction.
The official Cisco Security Advisory (cisco-sa-nxos-bfd-dos-wGQXrzxn) addresses the issue and is the authoritative source for mitigation steps, including any software updates or configuration changes.
EPSS scores have remained in a narrow band between 0.1309 and 0.1472 with no pronounced post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-25873
Vulnerability details
A vulnerability in the rate limiter for Bidirectional Forwarding Detection (BFD) traffic of Cisco NX-OS Software for Cisco Nexus 9000 Series Switches could allow an unauthenticated, remote attacker to cause BFD traffic to be dropped on an affected device. This…
more
vulnerability is due to a logic error in the BFD rate limiter functionality. An attacker could exploit this vulnerability by sending a crafted stream of traffic through the device. A successful exploit could allow the attacker to cause BFD traffic to be dropped, resulting in BFD session flaps. BFD session flaps can cause route instability and dropped traffic, resulting in a denial of service (DoS) condition. This vulnerability applies to both IPv4 and IPv6 traffic.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.