Missing Release of Resource after Effective Lifetime

CVE-2021-1620

High

7.7/10

Summary

A vulnerability in the Internet Key Exchange Version 2 (IKEv2) support for the AutoReconnect feature of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to exhaust the free IP addresses from the assigned local pool. This vulnerability occurs because the code does not release the allocated IP address under certain failure conditions. An attacker could exploit this vulnerability by trying to connect to the device with a non-AnyConnect client. A successful exploit could allow the attacker to exhaust the IP addresses from the assigned local pool, which prevents users from logging in and leads to a denial of service (DoS) condition.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: CHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-772 - Missing Release Of Resource After Effective Lifetime

'Missing release of resource after effective lifetime' is a weakness that occurs when software doesn't sufficiently release a resource (e.g. memory, CPU, disk space, etc.) after it is used. If not addressed, attackers can launch a denial of service attack (by allocating a resource and not releasing it).

References

Advisory Timeline

Published Sep 23, 2021

Missing Release of Resource after Effective Lifetime

CVE-2021-1620

Summary

CWE-772 - Missing Release Of Resource After Effective Lifetime

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS