A serious denial of service (DoS) flaw affected the Cisco NX-OS software that empowers Cisco Nexus devices. Cisco patched the vulnerability with the latest software release and urged users to update.
Severe DoS Flaw Affected Cisco NX-OS Software
Cisco recently addressed a high-severity denial of service security flaw affecting NX-OS software. Specifically, NX-OS is the operating system running on Cisco Nexus data center switches.
According to Cisco’s advisory, the vulnerability affected NX-OS Software’s DHCPv6 relay agent. Identified as CVE-2024-20446, it received a high severity rating and a CVSS score of 8.6.
The flaw appeared “due to improper handling of specific fields in a DHCPv6 RELAY-REPLY message.” A remote attacker could exploit the flaw to trigger a denial of service on the target device by sending maliciously crafted DHCPv6 packets to a device’s IPv6 address without authentication.
Describing how the DoS would trigger, Cisco stated in its advisory,
A successful exploit could allow the attacker to cause the dhcp_snoop process to crash and restart multiple times, causing the affected device to reload and resulting in a DoS condition.
Regarding the affected devices, Cisco mentioned the “Nexus 3000 and 7000 Series Switches and Nexus 9000 Series Switches in standalone NX-OS mode” as vulnerable products. However, the vulnerability would come into effect under the following conditions:
- Cisco NX-OS Software Release 8.2(11), 9.3(9), or 10.2(1) running on the devices.
- DHCPv6 relay agent enabled (which comes disabled by default).
- At least one IPv6 address is configured.
Cisco also shared a list of all devices unaffected by this vulnerability in its advisory.
Cisco Patched The Vulnerability With Latest OS Release
The networking giant confirmed that no workarounds exist to address this flaw. As temporary mitigation, Cisco advises users to disable the DHCPv6 relay agent in their devices using the no ipv6 dhcp relay
configuration command at the device CLI.
Nonetheless, users may receive a full patch for their devices by updating to the latest NX-OS release, which carries the respective vulnerability fix.
Let us know your thoughts in the comments.