Cisco Resolves High-Severity Vulnerability in IOS Software for Catalyst 6000 Series Switches


Cisco has recently addressed a significant vulnerability within its Cisco IOS Software utilized by Catalyst 6000 Series Switches, capable of causing a denial of service (DoS) condition.

The vulnerability, assigned CVE-2024-20276 with a base score of 7.4, stems from inadequate handling of process-switched traffic within Cisco IOS, a proprietary operating system powering Cisco Systems' routers, switches, and network devices. This software encompasses critical functionalities like interface configuration, network management, routing, security, switching, and quality of service (QoS).

The identified flaw enables an unauthenticated local attacker to initiate an unexpected device reload by exploiting improper process-switched traffic handling.

An attacker can leverage this vulnerability by directing malicious traffic toward a vulnerable device, potentially leading to a DoS incident by compelling the compromised device to reload.

According to Cisco's advisory, "An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition."

The affected products include:

  • Catalyst 6500 Series Switches with Supervisor Engine 2T or 6T
  • Catalyst 6800 Series Switches with Supervisor Engine 2T or 6T

Devices running vulnerable versions of Cisco IOS software with port security, device classifier, or authentication, authorization, and accounting (AAA) activated are susceptible.

To determine vulnerability, users can employ commands such as:

  • show running-config | include interface|port-security to check for port security setup
  • show running-config | include device classifier to verify device classifier configuration
  • show running-config | include system-auth-control|interface|port-control|mab to assess AAA configuration

The following Cisco products are confirmed as not vulnerable to this issue:

  • IOS XE Software
  • IOS XR Software
  • Meraki products
  • NX-OS Software

Additionally, Cisco has verified that several Cisco IOS platforms remain unaffected:

  • Catalyst 1000 Series Switches
  • Catalyst 2000 Series Switches
  • Catalyst 3000 Series Switches
  • Catalyst 4000 Series Switches
  • Catalyst 9000 Series Switches

No workarounds are available to address this vulnerability. Cisco advises affected users to upgrade to the appropriate fixed software release to mitigate the associated risks. Customers with service contracts can access these updates through standard update channels at no cost. For those without service contracts, upgrades can be obtained by contacting the Cisco Technical Assistance Center (TAC) with the product serial number and advisory URL for entitlement to a complimentary upgrade.