CVE-2024-20465
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to bypass configured IPv4 access control lists on affected Cisco switches when Resilient Ethernet Protocol is toggled. It affects Cisco Industrial Ethernet 4000, 4010, and 5000 Series Switches running vulnerable IOS Software versions. Attackers can send traffic that should be blocked by ACLs.
💻 Affected Systems
- Cisco Industrial Ethernet 4000 Series Switches
- Cisco Industrial Ethernet 4010 Series Switches
- Cisco Industrial Ethernet 5000 Series Switches
📦 What is this software?
Ios by Cisco
Ios by Cisco
Ios by Cisco
Ios by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass all network segmentation and access controls, potentially accessing restricted systems, exfiltrating data, or launching attacks from trusted network segments.
Likely Case
Attackers bypass specific ACL rules to access resources they shouldn't, potentially reaching management interfaces or sensitive systems protected by ACLs.
If Mitigated
With proper network segmentation and defense-in-depth, impact is limited to specific VLANs or segments where ACL bypass occurs.
🎯 Exploit Status
Exploitation requires sending traffic through affected device after REP toggling. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco Security Advisory for specific fixed releases per platform
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-repacl-9eXgnBpD
Restart Required: Yes
Instructions:
1. Review Cisco Security Advisory for affected versions. 2. Upgrade to fixed IOS Software release. 3. Reboot switch to apply update.
🔧 Temporary Workarounds
Avoid REP Toggling
allDo not enable and disable Resilient Ethernet Protocol on switched virtual interfaces with IPv4 ACLs configured
Implement Additional Controls
allUse additional firewall rules, network segmentation, or intrusion prevention systems to monitor and block unauthorized traffic
🧯 If You Can't Patch
- Isolate affected switches from critical network segments
- Implement strict monitoring for ACL bypass attempts and unauthorized traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check if device is affected model running vulnerable IOS version with REP configured on SVIs with IPv4 ACLsCheck Version:
show versionVerify Fix Applied:
Verify IOS version is updated to fixed release and test ACL functionality after REP operations📡 Detection & Monitoring
Log Indicators:
- ACL deny logs missing for traffic that should be blocked
- Unexpected traffic patterns through REP segments
Network Indicators:
- Traffic flowing through ACL-protected interfaces that should be blocked
- REP state changes followed by ACL violations
SIEM Query:
Search for ACL deny rule misses on affected switch models after REP interface state changes