CVE-2024-20446
📋 TL;DR
An unauthenticated remote attacker can send a specially crafted DHCPv6 packet to cause the dhcp_snoop process to crash repeatedly, leading to device reload and denial of service. This affects Cisco NX-OS devices with DHCPv6 relay agent functionality enabled. Network administrators using affected Cisco switches/routers are impacted.
💻 Affected Systems
- Cisco Nexus 3000 Series Switches
- Cisco Nexus 9000 Series Switches in standalone NX-OS mode
- Cisco Nexus 9500 R-Series Line Cards and Fabric Modules
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device reload causing extended network outage, affecting all services running on the device
Likely Case
Device reload causing temporary service disruption until process restarts
If Mitigated
Minimal impact if workarounds are implemented or vulnerable feature is disabled
🎯 Exploit Status
Exploitation requires sending crafted DHCPv6 packets to any IPv6 address on the device. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions available - refer to Cisco advisory for specific version mapping
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-dhcp6-relay-dos-znEAA6xn
Restart Required: Yes
Instructions:
1. Check current NX-OS version. 2. Download appropriate fixed software from Cisco. 3. Follow Cisco NX-OS upgrade procedures. 4. Reboot device after upgrade.
🔧 Temporary Workarounds
Disable DHCPv6 Relay Agent
cisco-nxosDisable the DHCPv6 relay agent feature if not required
no ipv6 dhcp relay
no ipv6 dhcp relay information option
🧯 If You Can't Patch
- Implement ACLs to block DHCPv6 traffic from untrusted sources
- Disable IPv6 on interfaces where not required or use IPv4-only networks
🔍 How to Verify
Check if Vulnerable:
Check if DHCPv6 relay is configured: 'show running-config | include dhcp' and check NX-OS versionCheck Version:
show version | include NXOSVerify Fix Applied:
Verify NX-OS version is patched and DHCPv6 relay configuration is present without crashes📡 Detection & Monitoring
Log Indicators:
- dhcp_snoop process crashes
- Device reload messages
- DHCPv6 packet parsing errors
Network Indicators:
- Unusual DHCPv6 traffic patterns
- Crafted DHCPv6 RELAY-REPLY messages
SIEM Query:
source="nxos" AND ("dhcp_snoop" OR "RELOAD") AND ("crash" OR "restart")