CVE-2024-20327
📋 TL;DR
An unauthenticated adjacent attacker can crash the ppp_ma process on Cisco ASR 9000 routers running IOS XR with BNG and PPPoE termination, causing denial of service for PPPoE traffic. This affects routers with specific line cards that don't terminate PPPoE but receive crafted PPPoE packets.
💻 Affected Systems
- Cisco ASR 9000 Series Aggregation Services Routers
📦 What is this software?
Ios Xr by Cisco
Ios Xr by Cisco
Ios Xr by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete DoS for all PPPoE traffic on the router, disrupting broadband subscriber connectivity until process restart or router reboot.
Likely Case
Intermittent PPPoE service disruption affecting multiple subscribers when attacker sends crafted packets to vulnerable interfaces.
If Mitigated
No impact if proper access controls prevent adjacent attackers from reaching vulnerable interfaces or if patches/workarounds are applied.
🎯 Exploit Status
Exploitation requires sending crafted PPPoE packets to specific interfaces from an adjacent network position. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco advisory for specific fixed releases for each IOS XR version
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pppma-JKWFgneW
Restart Required: Yes
Instructions:
1. Review Cisco advisory for fixed releases matching your IOS XR version. 2. Schedule maintenance window. 3. Backup configuration. 4. Upgrade to fixed release. 5. Verify ppp_ma process stability.
🔧 Temporary Workarounds
Interface ACL Filtering
allApply access control lists to filter PPPoE packets from reaching non-PPPoE termination interfaces
ipv4 access-list PPPOE-FILTER
deny pppoe any any
permit ip any any
interface GigabitEthernet0/0/0/0
ipv4 access-group PPPOE-FILTER in
🧯 If You Can't Patch
- Implement strict network segmentation to prevent adjacent attackers from reaching vulnerable interfaces
- Deploy intrusion prevention systems to detect and block crafted PPPoE packets
🔍 How to Verify
Check if Vulnerable:
Check IOS XR version and line card configuration: 'show version' and verify if running BNG with PPPoE termination on Lightspeed/Lightspeed-Plus cardsCheck Version:
show version | include Cisco IOS XRVerify Fix Applied:
After upgrade, verify version is patched and monitor ppp_ma process stability: 'show processes ppp_ma'📡 Detection & Monitoring
Log Indicators:
- ppp_ma process crashes in system logs
- PPPoE session disconnections
- High CPU/memory usage by ppp_ma before crash
Network Indicators:
- Unusual PPPoE packet patterns to non-PPPoE interfaces
- PPPoE service disruption across multiple subscribers
SIEM Query:
source="router_logs" AND ("ppp_ma" AND (crash OR restart OR abort))