CVE CyberSecurity Database News

CVE-2024-20373 - A Deep Dive into a Critical Vulnerability in SNMP IPv4 Access Control List Implementation in Cisco IOS and IOS XE Software

Poster -

A security vulnerability has been discovered in Cisco IOS Software and Cisco IOS XE Software related to Simple Network Management Protocol (SNMP) and the implementation of IPv4 Access Control List (ACL) feature. This vulnerability allows an unauthenticated remote attacker to perform SNMP polling on an affected device, even if SNMP traffic is configured to be denied. In this long-read post, we will discuss the vulnerability in detail, including a code snippet, original references, and exploit details.

Code Snippet -----------

!
snmp-server community <V2c_Community_String> RO ipv4 <Extended_ACL_Name>
snmp-server group <Group_Name> v3 priv read ipv4 <Extended_ACL_Name> write ipv4 <Extended_ACL_Name> notify ipv4 <Extended_ACL_Name>
snmp-server user <User_Name> <Group_Name> v3 encrypted auth md5 <auth_md5_passphrase> priv des <priv_des_passphrase>
!
ip access-list extended <Extended_ACL_Name>
 remark This ACL should have ipv4 rules only
 deny any

----------- /Code Snippet -----------

Details

The vulnerability in question (CVE-2024-20373) exists due to Cisco IOS Software and Cisco IOS XE Software not supporting extended IPv4 ACLs for SNMP. However, the software still allows administrators to configure extended named IPv4 ACLs without giving any warning message, which results in no ACL being applied to the SNMP listening process. Consequently, an attacker can exploit this vulnerability by performing SNMP polling on the affected device.

For the exploit to be successful, the attacker still needs a valid SNMPv2c community string or SNMPv3 user credentials. However, once they have access to these credentials, the attacker can carry out SNMP operations that should have been denied. It is important to note that SNMP with IPv6 ACL configurations is not affected by this vulnerability.

Original References

1. Cisco's official advisory regarding this vulnerability can be found here
2. You can read more about Cisco IOS Software and Cisco IOS XE Software on their official product pages here and here
3. CVE Details website for the complete information regarding this vulnerability can be accessed here

Mitigation

As a workaround to this vulnerability, users can apply a Standard IPv4 ACL to the snmp-server community and snmp-server group commands, which will successfully apply the ACL. Additionally, users should ensure that they are using the latest version of Cisco IOS Software or Cisco IOS XE Software and regularly check for updates to fix any security issues.

Conclusion

CVE-2024-20373 is a critical vulnerability in SNMP IPv4 access control list implementation on Cisco IOS Software and Cisco IOS XE Software. This vulnerability can be exploited by an unauthenticated attacker to perform SNMP polling on affected devices and carry out SNMP operations that should be denied. It is essential for administrators to be aware of this vulnerability, apply mitigation steps, and ensure their systems are up-to-date and secure.

Timeline

Published on: 11/15/2024 15:15:06 UTC