High-Severity DoS Flaw Patched In Cisco NX-OS Software

A critical denial of service (DoS) vulnerability impacted the Cisco NX-OS software used in Cisco Nexus devices. Cisco has released a software update to address this vulnerability and advises users to update their systems.

Critical DoS Vulnerability in Cisco NX-OS Software

Cisco recently fixed a high-severity denial of service vulnerability in the NX-OS software, which is the operating system powering Cisco Nexus data center switches.

According to Cisco’s advisory, the vulnerability affected the DHCPv6 relay agent in NX-OS Software, identified as CVE-2024-20446 with a CVSS score of 8.6.

The vulnerability was caused by improper handling of specific fields in a DHCPv6 RELAY-REPLY message. An attacker could exploit this flaw remotely by sending malicious DHCPv6 packets to a device’s IPv6 address without authentication, leading to a denial of service.

Cisco explained in its advisory how the DoS attack could occur:

A successful exploit could cause the dhcp_snoop process to crash and restart multiple times, leading to the affected device reloading and resulting in a DoS condition.

The affected devices include Nexus 3000 and 7000 Series Switches and Nexus 9000 Series Switches in standalone NX-OS mode running software releases 8.2(11), 9.3(9), or 10.2(1) with the DHCPv6 relay agent enabled and at least one configured IPv6 address.

Cisco also provided a list of devices unaffected by this vulnerability in the advisory.

Cisco Fixes Vulnerability in Latest OS Release

Cisco confirmed that there are no workarounds to address this vulnerability. As a temporary measure, users are advised to disable the DHCPv6 relay agent using the no ipv6 dhcp relay command in the device CLI.

Users can permanently patch their devices by updating to the latest NX-OS release, which includes the fix for this vulnerability.

We welcome your thoughts and comments below.