How to Fix CVE-2024-20267 – A High Severity DoS Vulnerability in MPLS Encapsulated IPv6 Handling of Cisco NX-OS?

Cisco has disclosed a high severity  Denial of Service (DoS) vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS Software that could allow an unauthenticated, remote attacker to cause a DoS condition on affected devices. The vulnerability tracked as CVE-2024-20267 has a CVSS score of 8.6 out of 10. This flaw exists due to lack of proper error checking when processing an ingress MPLS frame with an encapsulated crafted IPv6 packet, allowing an attacker to exploit it by sending such specially crafted packets to an MPLS-enabled interface of the targeted device. A successful exploit could cause the netstack process to unexpectedly restart, which could cause the device to stop processing network traffic or to reload, leading to a DoS condition in the network. Given the severity of this vulnerability, it is crucial for organizations to fix the CVE-2024-20267 flaw. In this blog post, we will discuss how to remediate this DoS vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS.

A Short Introduction to Cisco NX-OS Software

Cisco NX-OS is a data center-class operating system built for maximum scalability and application availability. It powers the industry-leading Cisco Nexus series switches. Some key features of NX-OS include:

  • Modular architecture for high availability

  • Comprehensive virtualization capabilities

  • Robust security and identity management

  • Automation and programmability with open APIs

  • Support for standard protocols like BGP, OSPF, ISIS, etc.

NX-OS provides the foundation for building scalable, secure and automated next-generation data center networks. For more details, refer to the Cisco NX-OS overview.

Summary of CVE-2024-20267

  • CVE ID: CVE-2024-20267

  • Description: A vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

  • CVSS Score: Base 8.6

  • CVSS Vector: Not provided in the advisory

CVE-2024-20267 is a Denial of Service (DoS) vulnerability in the handling of MPLS encapsulated IPv6 traffic in Cisco NX-OS Software, which is the network operating system for Cisco Nexus data center switches. This flaw stems from the lack of proper error checking when processing an ingress MPLS frame with an encapsulated crafted IPv6 packet.

The vulnerability could allow an unauthenticated, remote attacker to exploit this issue by sending a crafted IPv6 packet encapsulated within an MPLS frame to an MPLS-enabled interface of the targeted device. Successful exploitation of this vulnerability could cause the netstack process to unexpectedly restart, which could cause the device to stop processing network traffic or to reload, leading to a DoS condition.

See also  5 Step Strategy to Implement Micros Segmentations

To exploit this flaw, the attacker must meet the following conditions:

  1. The affected device must be running a vulnerable version of Cisco NX-OS Software.

  2. The device must have MPLS configured and be using MPLS on at least one interface.

It’s important to note that the attacker can generate the crafted IPv6 packet multiple hops away from the targeted device and then encapsulate it within MPLS. The DoS condition may occur when the NX-OS device processes the packet.

Products Affected by CVE-2024-20267

The Cisco security advisory states that the Denial of Service vulnerability (CVE-2024-20267) affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software and have MPLS configured:

  • Nexus 3000 Series Switches

  • Nexus 5500 Platform Switches

  • Nexus 5600 Platform Switches

  • Nexus 6000 Series Switches

  • Nexus 7000 Series Switches

  • Nexus 9000 Series Switches in standalone NX-OS mode

To determine if a device is configured for MPLS, the advisory recommends using the “show mpls interface detail” CLI command. If the output includes “MPLS operational”, the device is vulnerable.

Cisco has confirmed that this vulnerability does not affect the following products:

  • Firepower 1000, 2100, 4100, 9300 Series

  • MDS 9000 Series Multilayer Switches

  • Nexus 1000 Virtual Edge for VMware vSphere

  • Nexus 1000V Switch for Microsoft Hyper-V

  • Nexus 1000V Switch for VMware vSphere

  • Nexus 9000 Series Fabric Switches in ACI mode

  • Secure Firewall 3100, 4200 Series

  • UCS 6200, 6300, 6400, 6500 Series Fabric Interconnects

The advisory does not mention specific product IDs like in the original text about CVE-2024-20321. Instead, it lists affected product families and provides guidance on determining if MPLS is configured, which would make a device vulnerable.

How To Check If Your Cisco Nexus Switches Are Vulnerable To CVE-2024-20267?

To determine if your Cisco Nexus device is vulnerable to CVE-2024-20267, you need to verify the following:

  1. Check if the device is running an affected version of Cisco NX-OS Software.

  2. Confirm if the device has MPLS configured and is using MPLS on at least one interface.

  3. Use this command on the Cisco NX-OS Software CLI to verify the MPLS configuration:

    nxos-switch# show mpls interface detail

    If the output includes “MPLS operational” for any interface, the device is potentially vulnerable to CVE-2024-20267. Here’s an example of output indicating vulnerability:

    Interface Ethernet1/4/1:
      ldp enabled
      MPLS operational
      Label space id 0x10000001
      MPLS sub-layer Ethernet1/4/1-mpls layer(0x26000001)

    If the “show mpls interface detail” command is not valid on the device, it can be considered not vulnerable.

    Additionally, you can use the “show install active” command to display the active software packages on the device. This information can be compared to the list of affected software versions provided in the Cisco security advisory to determine if your device is running a vulnerable version of NX-OS.

    The advisory states that this vulnerability affects Nexus 3000, 5500, 5600, 6000, 7000, and 9000 series switches in standalone NX-OS mode if they have a vulnerable NX-OS version and MPLS configured. Nexus 9000 series switches in ACI mode are not impacted.

    Cisco Software Checker Utility

    The Cisco Software Checker is a valuable web-based tool that helps organizations identify which Cisco Security Advisories may apply to their specific software releases. This utility enables users to input a particular software version and returns a list of advisories associated with that release, along with information on the earliest releases that contain fixes for the identified vulnerabilities.

    By using the Cisco Software Checker, organizations can quickly determine their exposure to known vulnerabilities in their installed base of Cisco products. This information is crucial for prioritizing patching efforts and ensuring that the necessary software updates are promptly applied to mitigate security risks.

    To use the tool, simply navigate to the Cisco Software Checker page and enter the software release you wish to check. You can either select the product family and release from the drop-down menus or input the output of the show version command from your Cisco device. The tool will then generate a report listing the relevant security advisories, the affected software versions, and the earliest fixed releases.

  4. It’s important to note that the Cisco Software Checker only provides information on vulnerabilities that have been publicly disclosed through Cisco Security Advisories. It may not include details on internally found issues or those reported through other channels. Therefore, while the tool is an essential resource for managing Cisco software vulnerabilities, it should be used in conjunction with other vulnerability management practices and regular software maintenance processes.

    Screenshot of the Cisco Software Checker tool displaying a list of security advisories for Cisco Nexus 3000 Series Switches software releases.

    In the context of CVE-2024-20267, the Cisco Software Checker can be used to quickly identify if a particular Cisco NX-OS software version is affected by this high severity DoS vulnerability in the MPLS implementation. By proactively checking their software releases, organizations can take swift action to address this security flaw and protect their networks from potential exploitation.

    How to Fix CVE-2024-20267 – A High Severity DoS Vulnerability in MPLS Encapsulated IPv6 Handling of Cisco NX-OS?

    To address the CVE-2024-20267 vulnerability, Cisco has released free software updates for affected products. Organizations with active service contracts that entitle them to regular software updates should obtain the fixes through their usual software update channels. It is important to note that customers may only install and expect support for software versions and feature sets for which they have purchased a license.

    Cisco has made Software Maintenance Upgrades (SMUs) available for some affected products:

    Cisco NX-OS Software Release
    Platform
    SMU Name
    9.3(12)
    Nexus 3000 and 9000 Series Switches
    nxos.CSCwh42690-n9k_ALL-1.0.0-9.3.12.lib32_n9000.rpm
    10.2(6)
    Nexus 3000 and 9000 Series Switches
    nxos64-cs.CSCwh42690-1.0.0-10.2.6.lib32_64_n9000.rpm <br> nxos64-msll.CSCwh42690-1.0.0-10.2.6.lib32_64_n9000.rpm

    An SMU is a package that can be installed on a system without requiring a full image upgrade, allowing for a quicker and less disruptive deployment of the necessary security fixes.

    To install an SMU and fix the DoS Vulnerability in the MPLS encapsulated IPv6 handling of Cisco NX-OS, follow these steps:

    1. Download the appropriate SMU package for your affected device and software version from the Software Download page on Cisco.com.

    2. Use the install add command to add the SMU package to the device.

    3. Activate the SMU package using the install activate command.

    4. Verify the successful activation of the SMU package using the show install active command.

    5. Commit the changes to make the SMU package persistent across device reloads using the install commit command.

    For detailed instructions on performing Software Maintenance Upgrades on your specific Cisco NX-OS device, refer to the Performing Software Maintenance Upgrades section of the appropriate configuration guide.

    It is crucial to note that there are no workarounds available for CVE-2024-20267. Therefore, it is strongly recommended that organizations upgrade their vulnerable devices to a fixed software release or install the necessary SMUs as soon as possible to mitigate the risk posed by this high severity vulnerability.

    Remember to regularly monitor Cisco Security Advisories and use the Cisco Software Checker to stay informed about newly disclosed vulnerabilities and available software fixes. Maintaining a proactive approach to vulnerability management is essential for ensuring the security and reliability of your Cisco NX-OS-based network infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *