Cisco has recently addressed a significant vulnerability within its Cisco IOS Software utilized by Catalyst 6000 Series Switches, capable of causing a denial of service (DoS) condition.
The vulnerability, assigned CVE-2024-20276 with a base score of 7.4, stems from inadequate handling of process-switched traffic within Cisco IOS, a proprietary operating system powering Cisco Systems' routers, switches, and network devices. This software encompasses critical functionalities like interface configuration, network management, routing, security, switching, and quality of service (QoS).
The identified flaw enables an unauthenticated local attacker to initiate an unexpected device reload by exploiting improper process-switched traffic handling.
An attacker can leverage this vulnerability by directing malicious traffic toward a vulnerable device, potentially leading to a DoS incident by compelling the compromised device to reload.
According to Cisco's advisory, "An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition."
The affected products include:
Devices running vulnerable versions of Cisco IOS software with port security, device classifier, or authentication, authorization, and accounting (AAA) activated are susceptible.
To determine vulnerability, users can employ commands such as:
show running-config | include interface|port-security to check for port security setupshow running-config | include device classifier to verify device classifier configurationshow running-config | include system-auth-control|interface|port-control|mab to assess AAA configurationThe following Cisco products are confirmed as not vulnerable to this issue:
Additionally, Cisco has verified that several Cisco IOS platforms remain unaffected:
No workarounds are available to address this vulnerability. Cisco advises affected users to upgrade to the appropriate fixed software release to mitigate the associated risks. Customers with service contracts can access these updates through standard update channels at no cost. For those without service contracts, upgrades can be obtained by contacting the Cisco Technical Assistance Center (TAC) with the product serial number and advisory URL for entitlement to a complimentary upgrade.
