overview
Two critical vulnerabilities (CVE-2024-20267 and CVE-2024-20321) have been found in Cisco NX-OS Software, impacting various Nexus series switches. These vulnerabilities could potentially lead to denial of service (DoS) attacks if exploited by attackers.
CVE-2024-20321 – CVSS 8.6
This is a NX-OS software external gateway protocol denial of service vulnerability. The flaw affects eBGP implementation, allowing a remote attacker to trigger a DoS condition by flooding the device with network traffic. It stems from eBGP traffic being mapped to a shared hardware rate-limiter queue. Affected products include Nexus 3600 Series Switches and Nexus 9500 R-Series Line Cards.
CVE-2024-20267 - CVSS 8.6
This is a NX-OS software MPLS encapsulated IPv6 denial of service vulnerability. The flaw allows an unauthenticated, remote attacker to cause the netstack process to unexpectedly restart, leading to a device failure or reload. It arises due to improper error checking when processing ingress MPLS frames. Affected products include Nexus 3000 Series, Nexus 5500 Platform, Nexus 5600 Platform, Nexus 6000 Series, Nexus 7000 Series, and Nexus 9000 Series (standalone mode).
Cisco has released software updates addressing both vulnerabilities. Users should apply the updates as soon as possible to mitigate the risk of exploitation.
avertium's recommendationS
CVE-2024-20321
- There are no workarounds for this vulnerability, therefore it is highly recommended that you patch as soon as possible. Please see Cisco’s advisory for further details.
- Cisco’s advisory recommends the following to determine if a Cisco Nexus device is configured with the BGP feature and an eBGP neighbor:
- Use the show running-config | include "router bgp" and show running-config | include "neighbor" commands from the Cisco NX-OS Software CLI and verify that the feature is enabled.
- Product IDs impacted:
- N3K-C36180YC-R
- N3K-C3636C-R
- N9K-X9624D-R2
- N9K-X9636C-R
- N9K-X9636C-RX
- N9K-X9636Q-R
- N9K-X96136YC-R
CVE-2024-20267
- There are no workarounds for this vulnerability, therefore it is highly recommended that you patch as soon as possible. Please see Cisco’s advisory for further details.
- Products impacted:
- Nexus 3000 Series Switches (CSCwh42690)
- Nexus 5500 Platform Switches (CSCva52387)
- Nexus 5600 Platform Switches (CSCva52387)
- Nexus 6000 Series Switches (CSCva52387)
- Nexus 7000 Series Switches (CSCva52387)
- Nexus 9000 Series Switches in standalone NX-OS mode (CSCwh42690)
- Cisco’s advisory states the following to determine if a device is configured for MPLS:
- Use the show mpls interface detail CLI command. If the switch is configured for MPLS and is configured to use MPLS on at least one interface, the output will include MPLS operational.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2024-20267 and CVE-2024-20321. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
How Avertium is Protecting Our CUSTOMERS
- Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
- Risk Assessments
- Pen Testing and Social Engineering
- Infrastructure Architecture and Integration
- Zero Trust Network Architecture
- Vulnerability Management
- We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers.
SUPPORTING DOCUMENTATION