Cisco IOS Software SSL VPN Interface Queue Wedge Denial of Service Vulnerability

A vulnerability in the Datagram Transport Layer Security (DTLS) function of the Cisco IOS Software SSL VPN feature could allow an authenticated, remote attacker to cause the SSL VPN gateway interface to stop processing traffic when the queue is full, resulting in a denial of service (DoS) condition.

The vulnerability is due to improper processing of specific DTLS packets. An attacker could exploit this vulnerability by creating an SSL session and then sending crafted DTLS packets. An exploit could allow the attacker to cause the SSL VPN gateway interface to become full, resulting in a DoS condition.

Cisco has confirmed the vulnerability in a security notice and released software updates.

To exploit this vulnerability, an attacker would need to authenticate to the targeted device to send specific DTLS packets to the vulnerable system. This access requirement decreases the likelihood of a successful exploit.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.