A severe Denial of Service (DoS) error affected the Cisco NX-OS software that supports Cisco Nexus devices. Cisco has patched the vulnerability with the latest software version and urged users to update.
Severe DoS error affected Cisco NX-OS software
Cisco recently addressed a very serious denial-of-service security vulnerability affecting NX-OS software. In concrete terms, NX-OS is the operating system that runs on Cisco Nexus data center switches.
According to Cisco advisoryThe vulnerability affected NX-OS Software’s DHCPv6 relay agent. Identified as CVE-2024-20446, it was given a high severity rating and a CVSS score of 8.6.
The error appeared “due to incorrect handling of specific fields in a DHCPv6 RELAY-REPLY message.” A remote attacker could exploit the flaw to trigger a denial of service on the target device by sending maliciously crafted DHCPv6 packets to a device’s IPv6 address without authentication.
Cisco described how the DoS would trigger and stated in its advisory:
A successful exploit could allow the attacker to cause the dhcp_snoop process to crash and restart multiple times, causing the affected device to reload and induce a DoS condition.
Regarding the affected devices, Cisco listed the “Nexus 3000 and 7000 Series Switches and Nexus 9000 Series Switches in standalone NX-OS mode” as vulnerable products. However, the vulnerability takes effect under the following conditions:
- Cisco NX-OS Software Release 8.2(11), 9.3(9) or 10.2(1) runs on the devices.
- DHCPv6 relay agent enabled (disabled by default).
- At least one IPv6 address is configured.
Cisco also shared in its advisory a list of all devices not affected by this vulnerability.
Cisco has addressed the vulnerability with the latest version of the operating system
The networking giant confirmed that no solutions exist to address this issue. As a workaround, Cisco recommends that users disable the DHCPv6 relay agent on their devices using the no ipv6 dhcp relay configuration command on the device CLI.
Nevertheless, users can receive a full patch for their devices by updating to the latest NX-OS release, which includes the vulnerability fix in question.
Let us know your thoughts in the comments.
