{"containers":{"cna":{"title":"IP-in-IP protocol allows a remote, unauthenticated attacker to route arbitrary network traffic","descriptions":[{"lang":"en","value":"IP-in-IP protocol specifies IP Encapsulation within IP standard (RFC 2003, STD 1) that decapsulate and route IP-in-IP traffic is vulnerable to spoofing, access-control bypass and other unexpected behavior due to the lack of validation to verify network packets before decapsulation and routing."}],"affected":[{"vendor":"IETF","product":"RFC2003 - IP Encapsulation within IP","versions":[{"version":"STD 1","status":"affected"}]}],"references":[{"url":"https://kb.cert.org/vuls/id/636397/","name":"VU#636397"},{"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4"},{"url":"https://www.digi.com/resources/security"},{"url":"https://www.kb.cert.org/vuls/id/636397","name":"VU#636397"},{"url":"https://datatracker.ietf.org/doc/html/rfc6169","name":"Security Concerns with IP Tunneling"}],"credits":[{"lang":"en","value":"Thanks to Yannay Livneh for reporting this issue."}],"datePublic":"2020-06-01T00:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-290","description":"CWE-290 Authentication Bypass by Spoofing","lang":"en","type":"CWE"}]}],"solutions":[{"lang":"en","value":"Customers should apply the latest patch provided by the affected vendor that addresses this issue and prevents unspecified IP-in-IP packets from being processed. Devices manufacturers are urged to disable IP-in-IP in their default configuration and require their customers to explicitly configure IP-in-IP as and when needed."}],"source":{"discovery":"EXTERNAL"},"workarounds":[{"lang":"en","value":"Users can block IP-in-IP packets by filtering IP protocol number 4. Note this filtering is for the IPv4 Protocol (or IPv6 Next Header) field value of 4 and not IP protocol version 4 (IPv4)."}],"providerMetadata":{"orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc","dateUpdated":"2024-06-17T21:10:04.191Z"},"x_generator":{"engine":"cveClient/1.0.15"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://kb.cert.org/vuls/id/636397/","name":"VU#636397","tags":["x_transferred"]},{"url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4","tags":["x_transferred"]},{"url":"https://www.digi.com/resources/security","tags":["x_transferred"]},{"url":"https://www.kb.cert.org/vuls/id/636397","name":"VU#636397","tags":["x_transferred"]},{"url":"https://datatracker.ietf.org/doc/html/rfc6169","name":"Security Concerns with IP Tunneling","tags":["x_transferred"]},{"url":"https://www.kb.cert.org/vuls/id/199397"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T20:33:32.981Z"}}]},"cveMetadata":{"assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","assignerShortName":"certcc","cveId":"CVE-2020-10136","datePublished":"2020-06-02T08:35:12.921Z","dateReserved":"2020-03-05T00:00:00.000Z","dateUpdated":"2025-11-03T20:33:32.981Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"}