{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-090.pdf"
    },
    "title": "Multiple Vulnerabilities in Cisco NX-OS Software",
    "serial_number": "2024-090",
    "publish_date": "02-09-2024 07:40:58",
    "description": "On August 28, Cisco released patches for multiple vulnerabilities affecting its NX-OS software, primarily used in Nexus switches. The most severe of these is a high-severity denial-of-service (DoS) vulnerability in the DHCPv6 relay agent, which could allow an unauthenticated remote attacker to cause targeted devices to reload repeatedly, leading to a DoS condition. Additionally, several medium-severity vulnerabilities were addressed, including issues that could allow privilege escalation and unauthorised code execution.<br>\n",
    "url_title": "2024-090",
    "content_markdown": "---    \ntitle: 'Multiple Vulnerabilities in\u00a0Cisco\u00a0NX-OS\u00a0Software'\nnumber: '2024-090'\nversion: '1.0'\noriginal_date: '2024-08-28'\ndate: '2024-08-30'\n---\n\n_History:_\n\n* _30/08/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn August 28, Cisco released patches for multiple vulnerabilities affecting its NX-OS software, primarily used in Nexus switches. The most severe of these is a high-severity denial-of-service (DoS) vulnerability in the DHCPv6 relay agent, which could allow an unauthenticated remote attacker to cause targeted devices to reload repeatedly, leading to a DoS condition. Additionally, several medium-severity vulnerabilities were addressed, including issues that could allow privilege escalation and unauthorised code execution [1,2].\n\n# Technical Details\n\nThe vulnerability **CVE-2024-20446**, with a CVSS of 8.6, is due to improper handling of specific fields in DHCPv6 messages. By sending specially crafted DHCPv6 packets to an affected device, an attacker could cause the `dhcp_snoop` process to crash and restart multiple times, eventually forcing the device to reload, resulting in a DoS condition [3].\n\nOther vulnerabilities addressed in this update include a medium-severity **Command Injection** flaw in the NX-OS CLI that could allow local attackers to execute arbitrary commands with elevated privileges, and multiple medium-severity **Privilege Escalation** flaws in the NX-OS sandbox environment that could allow authenticated local attackers to escape the Python sandbox and gain unauthorised access to the underlying operating system.\n\n# Affected Products\n\nThe vulnerability **CVE-2024-20446** affects Cisco Nexus 3000 and 7000 Series Switches and Nexus 9000 Series Switches in standalone NX-OS mode if all the following conditions are true [3]:\n\n- They are running Cisco NX-OS Software Release 8.2(11), 9.3(9), or 10.2(1).\n- They have the DHCPv6 relay agent enabled.\n- They have at least one IPv6 address configured on the device.\n\n# Recommendations\n\nCERT-EU recommends applying the latest NX-OS patches provided by Cisco. Additionally, if DHCPv6 Relay Agent is not required in the environment, consider disabling this feature.\n\n# References\n\n[1] <https://www.securityweek.com/cisco-patches-multiple-nx-os-software-vulnerabilities/>\n\n[2] <https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75417>\n\n[3] <https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-dhcp6-relay-dos-znEAA6xn>\n\n\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>30/08/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On August 28, Cisco released patches for multiple vulnerabilities affecting its NX-OS software, primarily used in Nexus switches. The most severe of these is a high-severity denial-of-service (DoS) vulnerability in the DHCPv6 relay agent, which could allow an unauthenticated remote attacker to cause targeted devices to reload repeatedly, leading to a DoS condition. Additionally, several medium-severity vulnerabilities were addressed, including issues that could allow privilege escalation and unauthorised code execution [1,2].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-20446</strong>, with a CVSS of 8.6, is due to improper handling of specific fields in DHCPv6 messages. By sending specially crafted DHCPv6 packets to an affected device, an attacker could cause the <code>dhcp_snoop</code> process to crash and restart multiple times, eventually forcing the device to reload, resulting in a DoS condition [3].</p><p>Other vulnerabilities addressed in this update include a medium-severity <strong>Command Injection</strong> flaw in the NX-OS CLI that could allow local attackers to execute arbitrary commands with elevated privileges, and multiple medium-severity <strong>Privilege Escalation</strong> flaws in the NX-OS sandbox environment that could allow authenticated local attackers to escape the Python sandbox and gain unauthorised access to the underlying operating system.</p><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability <strong>CVE-2024-20446</strong> affects Cisco Nexus 3000 and 7000 Series Switches and Nexus 9000 Series Switches in standalone NX-OS mode if all the following conditions are true [3]:</p><ul><li>They are running Cisco NX-OS Software Release 8.2(11), 9.3(9), or 10.2(1).</li><li>They have the DHCPv6 relay agent enabled.</li><li>They have at least one IPv6 address configured on the device.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends applying the latest NX-OS patches provided by Cisco. Additionally, if DHCPv6 Relay Agent is not required in the environment, consider disabling this feature.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.securityweek.com/cisco-patches-multiple-nx-os-software-vulnerabilities/\">https://www.securityweek.com/cisco-patches-multiple-nx-os-software-vulnerabilities/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75417\">https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75417</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-dhcp6-relay-dos-znEAA6xn\">https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-dhcp6-relay-dos-znEAA6xn</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}