CVE-2022-20308: 
NixOS vulnerability analysis and mitigation

Multiple vulnerabilities in the Internet Key Exchange version 1 (IKEv1) fragmentation feature of Cisco IOS Software and Cisco IOS XE Software were discovered, with CVE-2022-20308 being a heap underflow vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability affects Cisco products running vulnerable releases of Cisco IOS or IOS XE Software where IKEv1 fragmentation is enabled and any type of VPN based on IKEv1 is configured (Cisco Advisory).

The vulnerability exists because crafted, fragmented IKEv1 packets are not properly reassembled in the system. The issue can be triggered by both IPv4 and IPv6 traffic, but only traffic directed to the affected system can be used to exploit this vulnerability. The vulnerability has been assigned a CVSS Base Score of 8.6 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H (Cisco Advisory).

A successful exploitation of this vulnerability could allow an attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. This could significantly impact network availability and operations of affected Cisco devices (Cisco Advisory).

Cisco has provided a workaround to address this vulnerability by disabling IKEv1 fragmentation. This can be accomplished using the following commands: 'configure terminal', 'no crypto isakmp fragmentation', and 'end'. Additionally, Cisco has released software updates that address the vulnerability. Customers with service contracts can obtain security fixes through their usual update channels (Cisco Advisory).