CVE-2023-20089
📋 TL;DR
An unauthenticated attacker on the same network segment can send crafted LLDP packets to Cisco Nexus 9000 ACI switches, causing a memory leak that leads to device reload and denial of service. This affects organizations using Cisco Nexus 9000 Series Fabric Switches in ACI Mode. The attacker must be Layer 2 adjacent to the target interface.
💻 Affected Systems
- Cisco Nexus 9000 Series Fabric Switches
📦 What is this software?
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Critical network infrastructure becomes unavailable due to device reloads, causing extended service outages and business disruption.
Likely Case
Targeted switches experience unexpected reloads during attack periods, causing intermittent network outages until the attack stops or mitigation is applied.
If Mitigated
With LLDP disabled on unnecessary interfaces, attack surface is reduced; with patches applied, no impact occurs.
🎯 Exploit Status
Exploitation requires sending crafted LLDP packets, which is relatively straightforward for attackers with network access. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco Security Advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-lldp-dos-ySCNZOpX
Restart Required: Yes
Instructions:
1. Review Cisco Security Advisory for affected versions. 2. Download and apply appropriate firmware update from Cisco. 3. Schedule maintenance window for device reload. 4. Verify patch application post-reload.
🔧 Temporary Workarounds
Disable LLDP on unnecessary interfaces
cisco-nxosReduces attack surface by disabling LLDP on interfaces where it's not required for network operations
configure terminal
interface <interface-id>
no lldp transmit
no lldp receive
end
copy running-config startup-config
🧯 If You Can't Patch
- Implement network segmentation to restrict Layer 2 access to switch management interfaces
- Deploy network monitoring to detect anomalous LLDP traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check if device is Cisco Nexus 9000 Series running in ACI mode with LLDP enabled on interfacesCheck Version:
show version | include NX-OSVerify Fix Applied:
Verify firmware version matches patched versions listed in Cisco advisory and confirm device stability📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads
- Memory allocation failures
- LLDP process crashes
Network Indicators:
- Unusual volume of LLDP packets from single source
- Malformed LLDP packets
SIEM Query:
source="switch_logs" AND ("reload" OR "memory" OR "lldp") AND severity>=WARNING