Cisco addressed multiple vulnerabilities impacting NX-OS software, including a high-severity flaw in the DHCPv6 relay agent.
Cisco released security updates for NX-OS software that address multiple vulnerabilities.
The most severe of the vulnerabilities fixed by the IT giant is a high-severity issue tracked as CVE-2024-20446. The vulnerability impacts the DHCPv6 relay agent of NX-OS, an attacker can trigger the flaw to cause a denial-of-service (DoS) condition.
“This vulnerability is due to improper handling of specific fields in a DHCPv6 RELAY-REPLY message. An attacker could exploit this vulnerability by sending a crafted DHCPv6 packet to any IPv6 address that is configured on an affected device.” reads the advisory. “A successful exploit could allow the attacker to cause the dhcp_snoop process to crash and restart multiple times, causing the affected device to reload and resulting in a DoS condition.”
The vulnerability affects Cisco Nexus 3000 and 7000 Series Switches, as well as Nexus 9000 Series Switches operating in standalone NX-OS mode. However, the risk is present only under certain conditions: the device must have at least one IPv6 address configured, be running Cisco NX-OS Software Release 8.2(11), 9.3(9), or 10.2(1), and have the DHCPv6 relay agent enabled. All these factors together make the devices susceptible to the identified vulnerability.
The company pointed out that there are no workarounds that address this flaw.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting this vulnerability.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NX-OS Software)