Cisco has disclosed a high severity Denial of Service (DoS) vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS Software that could allow an unauthenticated, remote attacker to cause a DoS condition on affected devices. The vulnerability tracked as CVE-2024-20267 has a CVSS score of 8.6 out of 10. This flaw exists due to lack of proper error checking when processing an ingress MPLS frame with an encapsulated crafted IPv6 packet, allowing an attacker to exploit it by sending such specially crafted packets to an MPLS-enabled interface of the targeted device. A successful exploit could cause the netstack process to unexpectedly restart, which could cause the device to stop processing network traffic or to reload, leading to a DoS condition in the network. Given the severity of this vulnerability, it is crucial for organizations to fix the CVE-2024-20267 flaw. In this blog post, we will discuss how to remediate this DoS vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS.
Cisco NX-OS is a data center-class operating system built for maximum scalability and application availability. It powers the industry-leading Cisco Nexus series switches. Some key features of NX-OS include:
Modular architecture for high availability
Comprehensive virtualization capabilities
Robust security and identity management
Automation and programmability with open APIs
Support for standard protocols like BGP, OSPF, ISIS, etc.
NX-OS provides the foundation for building scalable, secure and automated next-generation data center networks. For more details, refer to the Cisco NX-OS overview.
CVE ID: CVE-2024-20267
Description: A vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
CVSS Score: Base 8.6
CVSS Vector: Not provided in the advisory
CVE-2024-20267 is a Denial of Service (DoS) vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS Software, which is the network operating system for Cisco Nexus data center switches. This flaw stems from the lack of proper error checking when processing an ingress MPLS frame with an encapsulated crafted IPv6 packet.
The vulnerability could allow an unauthenticated, remote attacker to exploit this issue by sending a crafted IPv6 packet encapsulated within an MPLS frame to an MPLS-enabled interface of the targeted device. Successful exploitation of this vulnerability could cause the netstack process to unexpectedly restart, which could cause the device to stop processing network traffic or to reload, leading to a DoS condition.
To exploit this flaw, the attacker must meet the following conditions:
The affected device must be running a vulnerable version of Cisco NX-OS Software.
The device must have MPLS configured and be using MPLS on at least one interface.
It's important to note that the attacker can generate the crafted IPv6 packet multiple hops away from the targeted device and then encapsulate it within MPLS. The DoS condition may occur when the NX-OS device processes the packet.
The Cisco security advisory states that the Denial of Service vulnerability (CVE-2024-20267) affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software and have MPLS configured:
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
To determine if a device is configured for MPLS, the advisory recommends using the "show mpls interface detail" CLI command. If the output includes "MPLS operational", the device is vulnerable.
Cisco has confirmed that this vulnerability does not affect the following products:
Firepower 1000, 2100, 4100, 9300 Series
MDS 9000 Series Multilayer Switches
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in ACI mode
Secure Firewall 3100, 4200 Series
UCS 6200, 6300, 6400, 6500 Series Fabric Interconnects
The advisory does not mention specific product IDs like in the original text about CVE-2024-20321. Instead, it lists affected product families and provides guidance on determining if MPLS is configured, which would make a device vulnerable.
To determine if your Cisco Nexus device is vulnerable to CVE-2024-20267, you need to verify the following:
Check if the device is running an affected version of Cisco NX-OS Software.
Confirm if the device has MPLS configured and is using MPLS on at least one interface.
Use this command on the Cisco NX-OS Software CLI to verify the MPLS configuration:
nxos-switch# show mpls interface detail
If the output includes "MPLS operational" for any interface, the device is potentially vulnerable to CVE-2024-20267. Here's an example of output indicating vulnerability:
Interface Ethernet1/4/1:
ldp enabled
MPLS operational
Label space id 0x10000001
MPLS sub-layer Ethernet1/4/1-mpls layer(0x26000001)
If the "show mpls interface detail" command is not valid on the device, it can be considered not vulnerable.
Additionally, you can use the "show install active" command to display the active software packages on the device. This information can be compared to the list of affected software versions provided in the Cisco security advisory to determine if your device is running a vulnerable version of NX-OS.
The advisory states that this vulnerability affects Nexus 3000, 5500, 5600, 6000, 7000, and 9000 series switches in standalone NX-OS mode if they have a vulnerable NX-OS version and MPLS configured. Nexus 9000 series switches in ACI mode are not impacted.
The Cisco Software Checker is a valuable web-based tool that helps organizations identify which Cisco Security Advisories may apply to their specific software releases. This utility enables users to input a particular software version and returns a list of advisories associated with that release, along with information on the earliest releases that contain fixes for the identified vulnerabilities.
By using the Cisco Software Checker, organizations can quickly determine their exposure to known vulnerabilities in their installed base of Cisco products. This information is crucial for prioritizing patching efforts and ensuring that the necessary software updates are promptly applied to mitigate security risks.
To use the tool, simply navigate to the Cisco Software Checker page and enter the software release you wish to check. You can either select the product family and release from the drop-down menus or input the output of the show version
command from your Cisco device. The tool will then generate a report listing the relevant security advisories, the affected software versions, and the earliest fixed releases.
It's important to note that the Cisco Software Checker only provides information on vulnerabilities that have been publicly disclosed through Cisco Security Advisories. It may not include details on internally found issues or those reported through other channels. Therefore, while the tool is an essential resource for managing Cisco software vulnerabilities, it should be used in conjunction with other vulnerability management practices and regular software maintenance processes.
In the context of CVE-2024-20267, the Cisco Software Checker can be used to quickly identify if a particular Cisco NX-OS software version is affected by this high severity DoS vulnerability in the MPLS implementation. By proactively checking their software releases, organizations can take swift action to address this security flaw and protect their networks from potential exploitation.
To address the CVE-2024-20267 vulnerability, Cisco has released free software updates for affected products. Organizations with active service contracts that entitle them to regular software updates should obtain the fixes through their usual software update channels. It is important to note that customers may only install and expect support for software versions and feature sets for which they have purchased a license.
Cisco has made Software Maintenance Upgrades (SMUs) available for some affected products:
Cisco NX-OS Software Release
|
Platform
|
SMU Name
|
---|---|---|
9.3(12)
|
Nexus 3000 and 9000 Series Switches
|
nxos.CSCwh42690-n9k_ALL-1.0.0-9.3.12.lib32_n9000.rpm
|
10.2(6)
|
Nexus 3000 and 9000 Series Switches
|
nxos64-cs.CSCwh42690-1.0.0-10.2.6.lib32_64_n9000.rpm <br> nxos64-msll.CSCwh42690-1.0.0-10.2.6.lib32_64_n9000.rpm
|
An SMU is a package that can be installed on a system without requiring a full image upgrade, allowing for a quicker and less disruptive deployment of the necessary security fixes.
To install an SMU and fix the DoS Vulnerability in the MPLS encapsulated IPv6 handling of Cisco NX-OS, follow these steps:
Download the appropriate SMU package for your affected device and software version from the Software Download page on Cisco.com.
Use the install add command to add the SMU package to the device.
Activate the SMU package using the install activate command.
Verify the successful activation of the SMU package using the show install active command.
Commit the changes to make the SMU package persistent across device reloads using the install commit command.
For detailed instructions on performing Software Maintenance Upgrades on your specific Cisco NX-OS device, refer to the Performing Software Maintenance Upgrades section of the appropriate configuration guide.
It is crucial to note that there are no workarounds available for CVE-2024-20267. Therefore, it is strongly recommended that organizations upgrade their vulnerable devices to a fixed software release or install the necessary SMUs as soon as possible to mitigate the risk posed by this high severity vulnerability.
Remember to regularly monitor Cisco Security Advisories and use the Cisco Software Checker to stay informed about newly disclosed vulnerabilities and available software fixes. Maintaining a proactive approach to vulnerability management is essential for ensuring the security and reliability of your Cisco NX-OS-based network infrastructure.
We hope this post helps you know how to fix CVE-2024-20267 - A high severity DoS Vulnerability in MPLS Encapsulated IPv6 handling of Cisco NX-OS. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,
You may also like these articles:
How to Fix CVE-2024-20321- A High Severity DoS Vulnerability in eBGP Implementation of Cisco NX-OS?
How to Fix CVE-2021-1588- A Denial of Service Vulnerability in Cisco NX-OS Software
How To Fix CVE-2022-20624- A Denial Of Service Vulnerability In CFSoIP Service Of Cisco NX-OS
How to Fix CVE-2023-20198- A Critical Privilege Escalation Vulnerability in Cisco IOS XE
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.