A critical vulnerability has been identified in the handling of Multiprotocol Label Switching (MPLS) traffic for Cisco NX-OS Software. This vulnerability could allow an unauthenticated, remote attacker to cause the netstack process to unexpectedly restart, resulting in the device either stopping processing network traffic or reloading altogether. This issue has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2024-20267.

Vulnerability Details

The vulnerability is caused by the lack of proper error checking when processing an ingress MPLS frame. A remote attacker can exploit this vulnerability by sending a specially-crafted Internet Protocol version 6 (IPv6) packet that is encapsulated within an MPLS frame to an MPLS-enabled interface of the targeted device. A successful exploit could allow the attacker to cause a Denial of Service (DoS) condition on the device.

Note: The IPv6 packet can be generated multiple hops away from the targeted device and then encapsulated within MPLS. The DoS condition may occur when the NX-OS device processes the packet.

Exploit Code Snippet

# Attacker's code to create a malicious IPv6 packet and encapsulate it in MPLS
import scapy.all as scapy

# Creating a malicious IPv6 packet
ipv6_packet = scapy.IPv6(src="2001:db8::1", dst="2001:db8::2")

# Encapsulating the IPv6 packet within an MPLS frame
mpls_packet = scapy.MPLS(label=42, ttl=64)
mpls_frame = mpls_packet / ipv6_packet

# Sending the crafted MPLS frame to the targeted device
scapy.sendp(mpls_frame, iface="mpls_interface")

Original References

1. Cisco Advisory: CVE-2024-20267: Cisco NX-OS Software Improper Handling of MPLS Traffic Vulnerability
2. NIST National Vulnerability Database: CVE-2024-20267

Impact

A successful exploit of this vulnerability could lead to a disrupted network, with devices either ceasing to process network traffic or reloading entirely. This could result in a prolonged Denial of Service (DoS) condition, impacting the availability of the affected devices and their associated services.

- Implement proper access control lists (ACLs) and network segmentation to restrict access to MPLS-enabled interfaces on the targeted devices.
- Employ monitoring solutions to detect and alert on any suspicious traffic targeting your MPLS-enabled interfaces.

Conclusion

CVE-2024-20267 is a critical vulnerability in the handling of MPLS traffic on Cisco NX-OS Software, which can lead to a Denial of Service (DoS) condition. Administrators are urged to review the provided references and deploy the necessary updates and mitigations to protect their networks from potential attacks. Proper network segmentation, access control, and monitoring can also help prevent attackers from exploiting the vulnerability.

Timeline

Published on: 02/29/2024 01:43:58 UTC
Last modified on: 03/04/2024 22:45:43 UTC