Statement:

The IP-in-IP encapsulation is 'in the clear' tunnel protocol between two hosts.    When the module is loaded, the system will be in an 'any-to-any' routing state.  It will accept any "IP in IP" packets and forward them through the system routing chains.

No authentication, encryption or restrictions is created between endpoints by the kernel module.  Until a configuration rule is set, any system that can send "IP in IP" packets to an unconfigured system with the ipip kernel module loaded will be unwrapped and forwarded.  There is an area of opportunity between module loading and configuration that may allow for an attacker to abuse this flaw. 

When a tunnel device is created this will restrict the source and destination of the tunnelled packets. The content of the tunnelled data remains unencrypted and unauthenticated.

Red Hat Product Security strongly recommends using authenticated and encrypted tunnels such as IPSec, VPN or libreswan if tunnelling between networks is required.

External References:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_virtual_private_networks
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_iptables

Mitigation:

Systems that have IP in IP kernel modules loaded will need to unload the "ipip" kernel module and blacklist it to prevent the module from being used a fix has been provided ( See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules). 

Take careful consideration that if unloading and blacklisting the module, this may create a one-time attack vector window for a local attacker.

Consider using an alternative authenticated and encrypted tunnelling protocol until a suitable solution is developed.

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10136