How to Fix CVE-2024-20321- A High Severity DoS Vulnerability in eBGP Implementation of Cisco NX-OS?

Cisco has disclosed a high severity Denial of Service (DoS) vulnerability in the External Border Gateway Protocol (eBGP) implementation of Cisco NX-OS Software that could allow an unauthenticated, remote attacker to cause a DoS condition on affected devices. The vulnerability tracked as CVE-2024-20321 has a CVSS score of 8.6 out of 10. This flaw exists because eBGP traffic is mapped to a shared hardware rate-limiter queue, allowing an attacker to exploit it by sending large amounts of specially crafted network traffic through an affected device. A successful exploit could cause eBGP neighbor sessions to be dropped, leading to a DoS condition in the network. Given the severity of this vulnerability, it is crucial for organizations to fix the CVE-2024-20321 flaw. In this blog post, we will discuss how to remediate this DoS vulnerability in the eBGP implementation of Cisco NX-OS.

A Short Introduction to Cisco NX-OS Software

Cisco NX-OS is a data center-class operating system built for maximum scalability and application availability. It powers the industry-leading Cisco Nexus series switches. Some key features of NX-OS include:

  • Modular architecture for high availability

  • Comprehensive virtualization capabilities

  • Robust security and identity management

  • Automation and programmability with open APIs

  • Support for standard protocols like BGP, OSPF, ISIS, etc.

NX-OS provides the foundation for building scalable, secure and automated next-generation data center networks. For more details, refer to the Cisco NX-OS overview.

Summary of CVE-2024-20321

  • CVE ID: CVE-2024-20321

  • Description: A vulnerability in the External Border Gateway Protocol (eBGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device.

  • CVSS Score: Base 8.6

  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVE-2024-20321 is a Denial of Service (DoS) vulnerability in the External Border Gateway Protocol (eBGP) implementation of Cisco NX-OS Software, which is the network operating system for Cisco Nexus data center switches. This flaw stems from the improper handling of eBGP traffic that is mapped to a shared hardware rate-limiter queue.

The vulnerability could allow an unauthenticated, remote attacker to exploit this issue by sending a large volume of crafted network traffic through an affected device. Successful exploitation of this vulnerability could cause the eBGP neighbor sessions to drop, leading to a DoS condition on the targeted device.

To exploit this flaw, the attacker must meet the following conditions:

  1. The affected device must be running a vulnerable version of Cisco NX-OS Software.

  2. The device must have BGP enabled with at least one eBGP neighbor configured.

See also  Defending Against the Deceptive LABRAT Campaign

It’s important to note that the attacker does not need to have direct access to the affected device or the BGP domain. They can potentially trigger the DoS condition by sending the malicious traffic through the network, as long as it passes through an impacted Cisco Nexus switch with the specific configuration.

Products Affected by CVE-2024-20321

The Cisco security advisory states that the Denial of Service vulnerability (CVE-2024-20321) affects the following Cisco Nexus switches if they are running a vulnerable version of Cisco NX-OS Software, have BGP functionality with at least one eBGP neighbor configured with a different Autonomous System (AS) value, and have one of the specified product IDs:

  • Nexus 3600 Platform Switches:

    • N3K-C36180YC-R

    • N3K-C3636C-R

  • Nexus 9500 R-Series Line Cards:

    • N9K-X9624D-R2

    • N9K-X9636C-R

    • N9K-X9636C-RX

    • N9K-X9636Q-R

    • N9K-X96136YC-R

It’s important to note that the list of affected product IDs was accurate at the time of publication. For specific questions about a product ID, it is recommended to contact the Cisco Technical Assistance Center (TAC).

Cisco has confirmed that this vulnerability does not affect other Nexus series switches, such as the Nexus 5000, 6000, and 7000 series, or Nexus 9000 series switches in Application Centric Infrastructure (ACI) mode.

How To Check If Your Cisco Nexus Switches Are Vulnerable To CVE-2024-20321?

To determine if your Cisco Nexus device is vulnerable to CVE-2024-20321, you need to verify the following:

  1. Check if the device is running an affected version of Cisco NX-OS Software.

  2. Confirm if the device has BGP enabled with at least one eBGP neighbor configured.

Use these commands on the Cisco NX-OS Software CLI to verify the BGP configuration:

nxos-switch# show running-config | include "router bgp"
nxos-switch# show running-config | include "neighbor"

If the output shows that BGP is enabled and there is a neighbor with a different Autonomous System (AS) number, the device is potentially vulnerable to CVE-2024-20321.

Additionally, you can use the show install active command to display the active software packages on the device. This information can be compared to the list of affected software versions provided in the Cisco security advisory to determine if your device is running a vulnerable version of NX-OS.

It’s important to note that this vulnerability specifically affects certain Nexus 3600 Platform Switches and Nexus 9500 R-Series Line Cards. Other Nexus series switches, such as the Nexus 7000 Series, are not impacted by CVE-2024-20321.

Cisco Software Checker Utility

The Cisco Software Checker is a valuable web-based tool that helps organizations identify which Cisco Security Advisories may apply to their specific software releases. This utility enables users to input a particular software version and returns a list of advisories associated with that release, along with information on the earliest releases that contain fixes for the identified vulnerabilities.

See also  5 Challenges of Cyber Security in Today’s Business!

By using the Cisco Software Checker, organizations can quickly determine their exposure to known vulnerabilities in their installed base of Cisco products. This information is crucial for prioritizing patching efforts and ensuring that the necessary software updates are promptly applied to mitigate security risks.

To use the tool, simply navigate to the Cisco Software Checker page and enter the software release you wish to check. You can either select the product family and release from the drop-down menus or input the output of the show version command from your Cisco device. The tool will then generate a report listing the relevant security advisories, the affected software versions, and the earliest fixed releases.

It’s important to note that the Cisco Software Checker only provides information on vulnerabilities that have been publicly disclosed through Cisco Security Advisories. It may not include details on internally found issues or those reported through other channels. Therefore, while the tool is an essential resource for managing Cisco software vulnerabilities, it should be used in conjunction with other vulnerability management practices and regular software maintenance processes.

Navigating Cisco software security with a detailed overview of advisories and updates for Nexus 3000 Series Switches.

In the context of CVE-2024-20321, the Cisco Software Checker can be used to quickly identify if a particular Cisco NX-OS software version is affected by this high severity DoS vulnerability in the eBGP implementation. By proactively checking their software releases, organizations can take swift action to address this security flaw and protect their networks from potential exploitation.

How to Fix CVE-2024-20321 – A High Severity DoS Vulnerability in eBGP implementation of Cisco NX-OS?

To address the CVE-2024-20321 vulnerability, Cisco has released free software updates for affected products. Organizations with active service contracts that entitle them to regular software updates should obtain the fixes through their usual software update channels. It is important to note that customers may only install and expect support for software versions and feature sets for which they have purchased a license.

Cisco NX-OS Software Release
Platform
SMU Name
9.3(12)
Nexus 3600 Switches
Nexus 9500 R-Series Line Cards
nxos.CSCwh09703-n9k_ALL-1.0.0-9.3.12.lib32_n9000.rpm
10.2(6)
Nexus 3600 Switches
Nexus 9500 R-Series Line Cards
nxos64-msll.CSCwh09703-1.0.0-10.2.6.lib32_64_n9000.rpm
10.3(4a)
Nexus 9500 R-Series Line Cards1
nxos64-msll.CSCwh96478-1.0.0-10.3.4a.lib32_64_n9000.rpm

Cisco has also made Software Maintenance Upgrades (SMUs) available for some affected products. An SMU is a package that can be installed on a system without requiring a full image upgrade. This allows for a quicker and less disruptive deployment of the necessary security fixes.

See also  How to Start Preparing for CISSP? What Resources Are to be Used for CISSP Preparation?

To install an SMU and fix the DoS Vulnerability in the eBGP implementation of Cisco NX-OS, follow these steps:

  1. Navigate to the Software Download page on Cisco.com and locate the appropriate SMU package for your affected device and software version.

  2. Download the SMU package to your local machine or a network file server accessible to the device.

  3. Use the install add command to add the SMU package to the device. For example:

  4. Activate the SMU package using the install activate command. For example:

  5. Verify the successful activation of the SMU package using the show install active command.

  6. Commit the changes to make the SMU package persistent across device reloads using the install commit command.

For detailed instructions on performing Software Maintenance Upgrades on your specific Cisco NX-OS device, refer to the Performing Software Maintenance Upgrades section of the appropriate configuration guide.

It is crucial to note that there are no workarounds available for CVE-2024-20321. Therefore, it is strongly recommended that organizations upgrade their vulnerable devices to a fixed software release or install the necessary SMUs as soon as possible to mitigate the risk posed by this high severity vulnerability. By promptly addressing this issue, organizations can protect their networks from potential DoS attacks that could disrupt critical services and cause significant operational impact.

Remember to regularly monitor Cisco Security Advisories and use the Cisco Software Checker to stay informed about newly disclosed vulnerabilities and available software fixes. Maintaining a proactive approach to vulnerability management is essential for ensuring the security and reliability of your Cisco NX-OS-based network infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *