CVE-2023-20200 – A vulnerability in Cisco FXOS Software and UCS ... (How to Fix)

Q: What is the severity of CVE-2023-20200?

CVE-2023-20200 has a CVSS score of 7.7 (HIGH). A vulnerability in Cisco FXOS Software and UCS 6300 Series Fabric Interconnects allows authenticated remote attackers to cause denial of service by sending crafted SNMP requests. This affects all supported SNMP versions and requires knowledge of SNMP community strings (v2c/earlier) or valid credentials (v3). The vulnerability causes affected devices to reload, disrupting network services.

📋 TL;DR

A vulnerability in Cisco FXOS Software and UCS 6300 Series Fabric Interconnects allows authenticated remote attackers to cause denial of service by sending crafted SNMP requests. This affects all supported SNMP versions and requires knowledge of SNMP community strings (v2c/earlier) or valid credentials (v3). The vulnerability causes affected devices to reload, disrupting network services.

💻 Affected Systems

Products:

Cisco Firepower 4100 Series
Cisco Firepower 9300 Security Appliances
Cisco UCS 6300 Series Fabric Interconnects

Versions: All versions of Cisco FXOS Software for affected products

Operating Systems: Cisco FXOS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all supported SNMP versions (v1, v2c, v3). SNMP must be enabled and accessible to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device reload causing extended service disruption, potentially affecting entire network segments or data center operations.

🟠

Likely Case

Temporary service interruption during device reload, lasting several minutes, with potential cascading effects on dependent services.

🟢

If Mitigated

Minimal impact if SNMP access is properly restricted and monitored, with quick recovery from reload.

🌐 Internet-Facing: MEDIUM - Requires authentication/community string knowledge, but SNMP services exposed to internet are vulnerable if credentials are compromised.

🏢 Internal Only: HIGH - Internal attackers with SNMP access can easily exploit this to disrupt critical network infrastructure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires SNMP access with valid credentials or community strings. Attack is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Cisco Security Advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fp-ucsfi-snmp-dos-qtv69NAO

Restart Required: Yes

Instructions:

1. Review Cisco Security Advisory for affected versions. 2. Download and apply appropriate firmware update. 3. Reboot affected devices after patching. 4. Verify SNMP functionality post-update.

🔧 Temporary Workarounds

Disable SNMP Service

all

Completely disable SNMP service on affected devices if not required for monitoring.

no snmp-server enable

Restrict SNMP Access

all

Limit SNMP access to trusted management networks using ACLs.

snmp-server community [community-string] ro [acl-name]
access-list [acl-name] permit [trusted-network]

🧯 If You Can't Patch

Implement strict network segmentation to limit SNMP access to management networks only
Monitor SNMP traffic for anomalous patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check device version against affected versions in Cisco Security Advisory. Verify SNMP is enabled and accessible.

Check Version:

show version

Verify Fix Applied:

Confirm device is running patched firmware version. Test SNMP functionality with legitimate queries.

📡 Detection & Monitoring

Log Indicators:

Device reload events without clear cause
Multiple failed SNMP authentication attempts followed by reload
SNMP request logs showing malformed or unusual requests

Network Indicators:

Unusual SNMP traffic patterns to affected devices
SNMP requests from unexpected sources
Device becoming unresponsive after SNMP traffic

SIEM Query:

source="cisco-firepower" OR source="cisco-ucs" AND (event_type="reload" OR message="SNMP" AND (message="malformed" OR message="error"))

📊 Metadata

CVE ID: CVE-2023-20200

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-835

Published: August 23, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20200, you might also want to check these: