// For flags

CVE-2021-1446

Cisco IOS XE Software DNS NAT Protocol Application Layer Gateway Denial of Service Vulnerability

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

1.6%
*EPSS

Affected Versions

265
*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A vulnerability in the DNS application layer gateway (ALG) functionality used by Network Address Translation (NAT) in Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability is due to a logic error that occurs when an affected device inspects certain DNS packets. An attacker could exploit this vulnerability by sending crafted DNS packets through an affected device that is performing NAT for DNS packets. A successful exploit could allow an attacker to cause the device to reload, resulting in a denial of service (DoS) condition on an affected device. The vulnerability can be exploited only by traffic that is sent through an affected device via IPv4 packets. The vulnerability cannot be exploited via IPv6 traffic.

Una vulnerabilidad en la funcionalidad DNS application layer gateway (ALG) utilizada por la Network Address Translation (NAT) en el Software Cisco IOS XE, podría permitir a un atacante remoto no autenticado causar la recarga de un dispositivo afectado. La vulnerabilidad es debido a un error lógico que ocurre cuando un dispositivo afectado inspecciona determinados paquetes DNS. Un atacante podría explotar esta vulnerabilidad mediante el envío de paquetes DNS diseñados por medio de un dispositivo afectado que realiza NAT para paquetes DNS. Una explotación con éxito podría permitir a un atacante causar que el dispositivo se recargue, lo que resultaría en una condición de denegación de servicio (DoS) en un dispositivo afectado. La vulnerabilidad solo puede explotarse mediante el tráfico que se envía por medio de un dispositivo afectado mediante paquetes IPv4. La vulnerabilidad no se puede explotar por medio del tráfico IPv6

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2020-11-13 CVE Reserved
  • 2021-03-24 CVE Published
  • 2024-11-08 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-754: Improper Check for Unusual or Exceptional Conditions
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions (265)