CVE-2020-10136 Overview
CVE-2020-10136 is a protocol-level vulnerability affecting the IP-in-IP encapsulation mechanism as defined in RFC 2003. The vulnerability exists in devices that decapsulate and route IP-in-IP traffic without performing adequate validation on the encapsulated packets. This design flaw enables attackers to leverage network tunneling to bypass access controls, spoof source IP addresses, and cause unexpected routing behavior across enterprise network infrastructure.
The vulnerability is particularly significant because it affects fundamental network infrastructure components including Cisco Nexus switches, UCS systems, and products from multiple vendors implementing the Treck TCP/IP stack. Remote attackers with network access can craft malicious IP-in-IP packets to exploit vulnerable devices without authentication.
Critical Impact
Remote attackers can bypass network access controls, spoof IP addresses, and cause denial of service conditions on affected network infrastructure devices without authentication.
Affected Products
- Cisco NX-OS (multiple versions across 5.x, 6.x, and 7.x branches)
- Cisco Nexus 1000V, 1000VE, 3000, 5000, 6000, 7000, and 9000 Series Switches
- Cisco UCS Manager and UCS 6200/6300 Series Fabric Interconnects
- Cisco Unified Computing System
- Digi Saros
- HP X3220NR Firmware
- Treck TCP/IP Stack
Discovery Timeline
- June 2, 2020 - CVE-2020-10136 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2020-10136
Vulnerability Analysis
This vulnerability stems from a fundamental weakness in the IP-in-IP protocol implementation where devices fail to validate the authenticity and source of encapsulated packets before processing them. The IP-in-IP protocol (RFC 2003) allows IPv4 packets to be encapsulated within other IPv4 packets, creating tunnels for routing traffic across networks.
When a vulnerable device receives an IP-in-IP packet, it decapsulates the inner packet and routes it according to the inner packet's destination address. The flaw lies in the lack of verification that the outer packet originated from a legitimate tunnel endpoint. This allows attackers to inject packets that appear to originate from trusted internal sources after decapsulation.
The attack can be leveraged in several ways: bypassing source-based access control lists that inspect only the inner packet headers, spoofing the source of traffic to appear as if it originates from within the network, and routing traffic to unexpected destinations by manipulating how packets traverse network boundaries.
Root Cause
The root cause is classified under CWE-290 (Authentication Bypass by Spoofing). The IP-in-IP protocol specification in RFC 2003 does not mandate validation mechanisms to verify that encapsulated packets originate from authorized tunnel endpoints. Devices implementing this specification without additional source verification inherit this design weakness, allowing unauthenticated remote attackers to inject arbitrary encapsulated traffic.
Affected devices accept IP-in-IP packets from any source and process the encapsulated payload without confirming the legitimacy of the tunnel relationship. This architectural gap enables attackers to construct packets that bypass perimeter defenses and access controls designed to filter traffic based on source addresses.
Attack Vector
An attacker with network access can exploit this vulnerability by sending specially crafted IP-in-IP encapsulated packets to a vulnerable device. The attack does not require authentication or user interaction, making it exploitable remotely across network boundaries.
The attack flow involves the attacker constructing an IP-in-IP packet where the outer header contains a valid destination (the vulnerable device) and the inner header contains a spoofed source address (appearing to be from a trusted internal host). When the vulnerable device decapsulates this packet, it processes and routes the inner packet as if it legitimately originated from the spoofed source. This can be used to bypass firewall rules, access-control lists, or intrusion detection systems that trust traffic from specific source ranges.
Detection Methods for CVE-2020-10136
Indicators of Compromise
- Unexpected IP-in-IP (protocol 4) traffic arriving from external network segments
- Traffic patterns showing internal source addresses originating from external interfaces
- Access control list violations that correlate with encapsulated traffic flows
- Anomalous routing behavior or traffic appearing on unexpected network segments
Detection Strategies
- Implement deep packet inspection rules to analyze IP-in-IP encapsulated traffic and validate source consistency between outer and inner headers
- Configure network monitoring to alert on IP protocol 4 (IP-in-IP) traffic from unexpected sources or interfaces
- Deploy intrusion detection signatures that identify IP-in-IP packets with mismatched or suspicious source address combinations
- Monitor for access control bypass patterns where blocked sources appear to circumvent filtering rules
Monitoring Recommendations
- Enable logging for IP-in-IP protocol traffic at network boundaries and critical infrastructure devices
- Configure SIEM rules to correlate decapsulated traffic with source validation failures
- Implement NetFlow or sFlow analysis to track IP-in-IP tunnel usage and identify unauthorized tunnel endpoints
- Review network device logs for evidence of spoofed traffic or unexpected decapsulation events
How to Mitigate CVE-2020-10136
Immediate Actions Required
- Apply vendor-provided firmware updates addressing CVE-2020-10136 on all affected Cisco NX-OS devices
- Review and harden access control lists to filter IP-in-IP traffic at network boundaries
- Disable IP-in-IP decapsulation on devices where this feature is not operationally required
- Implement strict source validation for any legitimate IP-in-IP tunnels in use
Patch Information
Cisco has released security updates addressing this vulnerability in NX-OS. Organizations should consult the Cisco Security Advisory for specific fixed software versions and upgrade guidance. For devices using the Treck TCP/IP stack, contact the respective vendor for patching information. HP and Digi customers should reference their vendor's security resources for applicable updates.
The CERT Coordination Center has published vulnerability notes VU#636397 and VU#199397 providing additional guidance on affected products and mitigations.
Workarounds
- Configure infrastructure access control lists (iACLs) to drop IP-in-IP packets (IP protocol 4) at network ingress points where tunneling is not required
- Implement strict reverse path forwarding (uRPF) checks to validate source addresses of decapsulated packets
- Segment network infrastructure to limit the exposure of devices that must support IP-in-IP functionality
- Deploy network-based intrusion prevention systems with signatures to block malicious IP-in-IP exploitation attempts
# Example Cisco NX-OS ACL to block IP-in-IP at perimeter
# Apply to ingress interfaces facing untrusted networks
ip access-list BLOCK-IPIP-INGRESS
10 deny 4 any any log
20 permit ip any any
interface Ethernet1/1
ip access-group BLOCK-IPIP-INGRESS in
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
