---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'Multiple Vulnerabilities in Cisco NX-OS Software'
number: '2024-090'
version: '1.0'
original_date: '2024-08-28'
date: '2024-08-30'
---
_History:_
* _30/08/2024 --- v1.0 -- Initial publication_
# Summary
On August 28, Cisco released patches for multiple vulnerabilities affecting its NX-OS software, primarily used in Nexus switches. The most severe of these is a high-severity denial-of-service (DoS) vulnerability in the DHCPv6 relay agent, which could allow an unauthenticated remote attacker to cause targeted devices to reload repeatedly, leading to a DoS condition. Additionally, several medium-severity vulnerabilities were addressed, including issues that could allow privilege escalation and unauthorised code execution [1,2].
# Technical Details
The vulnerability **CVE-2024-20446**, with a CVSS of 8.6, is due to improper handling of specific fields in DHCPv6 messages. By sending specially crafted DHCPv6 packets to an affected device, an attacker could cause the `dhcp_snoop` process to crash and restart multiple times, eventually forcing the device to reload, resulting in a DoS condition [3].
Other vulnerabilities addressed in this update include a medium-severity **Command Injection** flaw in the NX-OS CLI that could allow local attackers to execute arbitrary commands with elevated privileges, and multiple medium-severity **Privilege Escalation** flaws in the NX-OS sandbox environment that could allow authenticated local attackers to escape the Python sandbox and gain unauthorised access to the underlying operating system.
# Affected Products
The vulnerability **CVE-2024-20446** affects Cisco Nexus 3000 and 7000 Series Switches and Nexus 9000 Series Switches in standalone NX-OS mode if all the following conditions are true [3]:
- They are running Cisco NX-OS Software Release 8.2(11), 9.3(9), or 10.2(1).
- They have the DHCPv6 relay agent enabled.
- They have at least one IPv6 address configured on the device.
# Recommendations
CERT-EU recommends applying the latest NX-OS patches provided by Cisco. Additionally, if DHCPv6 Relay Agent is not required in the environment, consider disabling this feature.
# References
[1]
[2]
[3]