A newly discovered vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco FXOS Software and Cisco NX-OS Software (CVE-2024-20294) can allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of specific fields in an LLDP frame.

Exploit Details

The Link Layer Discovery Protocol (LLDP) is a vendor-neutral Layer 2 link protocol used by various networking equipment to advertise information about themselves to their directly connected peers. The vulnerability in the LLDP feature of Cisco FXOS and NX-OS Software occurs because of improper handling of certain fields in an LLDP frame.

An attacker who successfully exploits this vulnerability could cause the LLDP service to crash and stop running on the affected device. In certain situations, the LLDP crash may result in a reload of the affected device, causing a loss of connectivity.

An attacker would need to be directly connected to an interface of an affected device, either physically or logically (for example, through a Layer 2 Tunnel configured to transport the LLDP protocol), to exploit this vulnerability.

To exploit this vulnerability, an attacker could send a crafted LLDP packet to an interface of an affected device and have an authenticated user retrieve LLDP statistics from the affected device through Command-Line Interface (CLI) "show" commands or Simple Network Management Protocol (SNMP) requests.

Consider the following example of a crafted LLDP packet sent by an attacker to an affected device

    import scapy.all as scapy
    
    # Craft the malicious LLDP packet
    lldp_packet = scapy.LLDPDU()
    lldp_packet.system_name = "AttackerDevice"
    lldp_packet.tlv_info_string = "MaliciousPayload"
    
    # Send the crafted LLDP packet to the affected device
    scapy.sendp(lldp_packet, iface="eth")

In this example, the attacker sends a crafted LLDP packet containing a malicious payload to an interface of an affected device, potentially causing a DoS condition.

Original References

1. Cisco Advisory: A detailed explanation of the vulnerability, affected products, and mitigation steps provided by Cisco.
2. NVD - CVE-2024-20294: The National Vulnerability Database (NVD) entry for this vulnerability, providing additional information and an impact analysis.

Mitigation and Recommendations

To mitigate this vulnerability, network administrators should ensure that their affected devices run a software version that has received a patch addressing this issue. Cisco has released software updates to address the vulnerability.

Furthermore, administrators should consider disabling the LLDP feature on any interfaces that do not specifically require the protocol for normal operation, as this can help limit the attack surface.

In conclusion, staying informed of the latest security updates and ensuring your network devices run the most up-to-date software is crucial to protecting against potential exploits of this type.

Timeline

Published on: 02/29/2024 01:43:59 UTC
Last modified on: 02/29/2024 13:49:29 UTC