How to Fix CVE-2024-20267 - A High Severity DoS Vulnerability in MPLS Encapsulated IPv6 Handling of Cisco NX-OS?

Cisco has disclosed a high severity Denial of Service (DoS) vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS Software that could allow an unauthenticated, remote attacker to cause a DoS condition on affected devices. The vulnerability tracked as CVE-2024-20267 has a CVSS score of 8.6 out of 10. This flaw exists due to lack of proper error checking when processing an ingress MPLS frame with an encapsulated crafted IPv6 packet, allowing an attacker to exploit it by sending such specially crafted packets to an MPLS-enabled interface of the targeted device. A successful exploit could cause the netstack process to unexpectedly restart, which could cause the device to stop processing network traffic or to reload, leading to a DoS condition in the network. Given the severity of this vulnerability, it is crucial for organizations to fix the CVE-2024-20267 flaw. In this blog post, we will discuss how to remediate this DoS vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS.

A Short Introduction to Cisco NX-OS Software

Cisco NX-OS is a data center-class operating system built for maximum scalability and application availability. It powers the industry-leading Cisco Nexus series switches. Some key features of NX-OS include:

NX-OS provides the foundation for building scalable, secure and automated next-generation data center networks. For more details, refer to the Cisco NX-OS overview.

Summary of CVE-2024-20267

CVE-2024-20267 is a Denial of Service (DoS) vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS Software, which is the network operating system for Cisco Nexus data center switches. This flaw stems from the lack of proper error checking when processing an ingress MPLS frame with an encapsulated crafted IPv6 packet.

The vulnerability could allow an unauthenticated, remote attacker to exploit this issue by sending a crafted IPv6 packet encapsulated within an MPLS frame to an MPLS-enabled interface of the targeted device. Successful exploitation of this vulnerability could cause the netstack process to unexpectedly restart, which could cause the device to stop processing network traffic or to reload, leading to a DoS condition.

To exploit this flaw, the attacker must meet the following conditions:

It's important to note that the attacker can generate the crafted IPv6 packet multiple hops away from the targeted device and then encapsulate it within MPLS. The DoS condition may occur when the NX-OS device processes the packet.

Products Affected by CVE-2024-20267

The Cisco security advisory states that the Denial of Service vulnerability (CVE-2024-20267) affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software and have MPLS configured:

To determine if a device is configured for MPLS, the advisory recommends using the "show mpls interface detail" CLI command. If the output includes "MPLS operational", the device is vulnerable.

Cisco has confirmed that this vulnerability does not affect the following products:

The advisory does not mention specific product IDs like in the original text about CVE-2024-20321. Instead, it lists affected product families and provides guidance on determining if MPLS is configured, which would make a device vulnerable.

How To Check If Your Cisco Nexus Switches Are Vulnerable To CVE-2024-20267?

To determine if your Cisco Nexus device is vulnerable to CVE-2024-20267, you need to verify the following:

Use this command on the Cisco NX-OS Software CLI to verify the MPLS configuration:

nxos-switch# show mpls interface detail

If the output includes "MPLS operational" for any interface, the device is potentially vulnerable to CVE-2024-20267. Here's an example of output indicating vulnerability:

Interface Ethernet1/4/1:
  ldp enabled
  MPLS operational
  Label space id 0x10000001
  MPLS sub-layer Ethernet1/4/1-mpls layer(0x26000001)

If the "show mpls interface detail" command is not valid on the device, it can be considered not vulnerable.

Additionally, you can use the "show install active" command to display the active software packages on the device. This information can be compared to the list of affected software versions provided in the Cisco security advisory to determine if your device is running a vulnerable version of NX-OS.

The advisory states that this vulnerability affects Nexus 3000, 5500, 5600, 6000, 7000, and 9000 series switches in standalone NX-OS mode if they have a vulnerable NX-OS version and MPLS configured. Nexus 9000 series switches in ACI mode are not impacted.

Cisco Software Checker Utility

The Cisco Software Checker is a valuable web-based tool that helps organizations identify which Cisco Security Advisories may apply to their specific software releases. This utility enables users to input a particular software version and returns a list of advisories associated with that release, along with information on the earliest releases that contain fixes for the identified vulnerabilities.

By using the Cisco Software Checker, organizations can quickly determine their exposure to known vulnerabilities in their installed base of Cisco products. This information is crucial for prioritizing patching efforts and ensuring that the necessary software updates are promptly applied to mitigate security risks.

To use the tool, simply navigate to the Cisco Software Checker page and enter the software release you wish to check. You can either select the product family and release from the drop-down menus or input the output of the show version command from your Cisco device. The tool will then generate a report listing the relevant security advisories, the affected software versions, and the earliest fixed releases.

It's important to note that the Cisco Software Checker only provides information on vulnerabilities that have been publicly disclosed through Cisco Security Advisories. It may not include details on internally found issues or those reported through other channels. Therefore, while the tool is an essential resource for managing Cisco software vulnerabilities, it should be used in conjunction with other vulnerability management practices and regular software maintenance processes.

In the context of CVE-2024-20267, the Cisco Software Checker can be used to quickly identify if a particular Cisco NX-OS software version is affected by this high severity DoS vulnerability in the MPLS implementation. By proactively checking their software releases, organizations can take swift action to address this security flaw and protect their networks from potential exploitation.

How to Fix CVE-2024-20267 - A High Severity DoS Vulnerability in MPLS Encapsulated IPv6 Handling of Cisco NX-OS?

To address the CVE-2024-20267 vulnerability, Cisco has released free software updates for affected products. Organizations with active service contracts that entitle them to regular software updates should obtain the fixes through their usual software update channels. It is important to note that customers may only install and expect support for software versions and feature sets for which they have purchased a license.

Cisco has made Software Maintenance Upgrades (SMUs) available for some affected products:

An SMU is a package that can be installed on a system without requiring a full image upgrade, allowing for a quicker and less disruptive deployment of the necessary security fixes.

To install an SMU and fix the DoS Vulnerability in the MPLS encapsulated IPv6 handling of Cisco NX-OS, follow these steps:

For detailed instructions on performing Software Maintenance Upgrades on your specific Cisco NX-OS device, refer to the Performing Software Maintenance Upgrades section of the appropriate configuration guide.

It is crucial to note that there are no workarounds available for CVE-2024-20267. Therefore, it is strongly recommended that organizations upgrade their vulnerable devices to a fixed software release or install the necessary SMUs as soon as possible to mitigate the risk posed by this high severity vulnerability.

Remember to regularly monitor Cisco Security Advisories and use the Cisco Software Checker to stay informed about newly disclosed vulnerabilities and available software fixes. Maintaining a proactive approach to vulnerability management is essential for ensuring the security and reliability of your Cisco NX-OS-based network infrastructure.

We hope this post helps you know how to fix CVE-2024-20267 - A high severity DoS Vulnerability in MPLS Encapsulated IPv6 handling of Cisco NX-OS. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,