A critical denial of service (DoS) flaw affected the Cisco NX-OS software program that empowers Cisco Nexus units. Cisco patched the vulnerability with the most recent software program launch and urged customers to replace.
Extreme DoS Flaw Affected Cisco NX-OS Software program
Cisco not too long ago addressed a high-severity denial of service safety flaw affecting NX-OS software program. Particularly, NX-OS is the working system operating on Cisco Nexus information heart switches.
In response to Cisco’s advisory, the vulnerability affected NX-OS Software program’s DHCPv6 relay agent. Recognized as CVE-2024-20446, it obtained a excessive severity score and a CVSS rating of 8.6.
The flaw appeared “as a result of improper dealing with of particular fields in a DHCPv6 RELAY-REPLY message.” A distant attacker may exploit the flaw to set off a denial of service on the goal system by sending maliciously crafted DHCPv6 packets to a tool’s IPv6 handle with out authentication.
Describing how the DoS would set off, Cisco acknowledged in its advisory,
A profitable exploit may enable the attacker to trigger the dhcp_snoop course of to crash and restart a number of instances, inflicting the affected system to reload and leading to a DoS situation.
Concerning the affected units, Cisco talked about the “Nexus 3000 and 7000 Sequence Switches and Nexus 9000 Sequence Switches in standalone NX-OS mode” as susceptible merchandise. Nonetheless, the vulnerability would come into impact underneath the next situations:
- Cisco NX-OS Software program Launch 8.2(11), 9.3(9), or 10.2(1) operating on the units.
- DHCPv6 relay agent enabled (which comes disabled by default).
- At the least one IPv6 handle is configured.
Cisco additionally shared a listing of all units unaffected by this vulnerability in its advisory.
Cisco Patched The Vulnerability With Newest OS Launch
The networking big confirmed that no workarounds exist to handle this flaw. As short-term mitigation, Cisco advises customers to disable the DHCPv6 relay agent of their units utilizing the no ipv6 dhcp relay configuration command on the system CLI.
Nonetheless, customers could obtain a full patch for his or her units by updating to the most recent NX-OS launch, which carries the respective vulnerability repair.
Tell us your ideas within the feedback.