Cisco has disclosed a critical vulnerability in its NX-OS software that could allow unauthenticated, remote attackers to cause a denial of service (DoS) condition on affected devices.
The flaw, tracked as CVE-2024-20270, impacts the DHCPv6 relay agent feature in certain versions of Cisco NX-OS Software.
The vulnerability stems from improper handling of specific fields in DHCPv6 RELAY-REPLY messages. An attacker could exploit this by sending a crafted DHCPv6 packet to any IPv6 address configured on a vulnerable device.
If successful, the exploit would cause the dhcp_snoop process to crash and restart multiple times, ultimately forcing the affected device to reload and resulting in a DoS condition.
Affected products include Cisco Nexus 3000 and 7000 Series Switches, as well as Nexus 9000 Series Switches running in standalone NX-OS mode. Specifically, devices running Cisco NX-OS Software Release 8.2(11), 9.3(9), or 10.2(1) with the DHCPv6 relay agent enabled and at least one IPv6 address configured are vulnerable.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
According to the security advisory, Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- Firepower 1000 Series
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Security Appliances
- MDS 9000 Series Multilayer Switches
- Nexus 1000 Virtual Edge for VMware vSphere
- Nexus 1000V Switch for VMware vSphere
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 9000 Series Fabric Switches in ACI mode
- Secure Firewall 3100 Series
- Secure Firewall 4200 Series
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects
- UCS 6400 Series Fabric Interconnects
- UCS 6500 Series Fabric Interconnects
These products are explicitly listed as not vulnerable to the DHCPv6 relay agent denial of service vulnerability described in the advisory.
Cisco has released software updates to address the vulnerability and strongly recommends that customers upgrade to a fixed version as soon as possible. There are currently no workarounds available to mitigate this security flaw fully.
For devices with the DHCP feature enabled, a potential mitigation exists if DHCPv6 relay agent functionality is not required. Administrators can disable the DHCPv6 relay agent using the “no ipv6 dhcp relay” configuration command at the device CLI.
However, Cisco advises customers to evaluate any mitigations in their specific environment before implementation carefully.
The vulnerability was discovered during the resolution of a Cisco Technical Assistance Center (TAC) support case. At the time of disclosure, Cisco’s Product Security Incident Response Team (PSIRT) was not aware of any public announcements or malicious exploitation of this vulnerability.
Organizations using affected Cisco NX-OS devices should prioritize patching to mitigate the risk of potential DoS attacks exploiting this vulnerability.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial