Vulnslist

find the latest Cisco vulnerabilities

Cisco Nexus 3000 and 9000 Series Switches Port Channel ACL Programming Vulnerability

cisco-sa-nxos-po-acl-TkyePgvL · Medium · Published · Updated

A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device. This vulnerability is due to incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access network resources that should be protected by an ACL that was applied on port channel subinterfaces. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-po-acl-TkyePgvL This advisory is part of the February 2024 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: February 2024 Semiannual Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Cisco advisory ·CSAF JSON

Workarounds

There are workarounds that address this vulnerability.

After performing configuration changes to port channel member ports, verify whether the ACL programming is affected on any port channel subinterface, as shown in the Vulnerable Products ["#vp"] section of this advisory. Proper ACL programming can be restored on any affected port channel subinterface by removing and reapplying the associated ip access-group configuration command. Reloading an affected device would also fix the ACL programming for all affected subinterfaces.

While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2024-20291
Cisco Bug IDsCSCwf47127
CVSS ScoreBase 5.8
Base 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Product Names From Source
Cisco NX-OS Software 9.3(10), Cisco NX-OS Software 9.3(11), Cisco NX-OS Software 9.3(12), Cisco NX-OS Software, Cisco Nexus 3000 Series Switches, Cisco Nexus 9000 Series Switches

Related Products

Product CVE Evidence
Cisco Nexus Dashboard CVE-2024-20291 Cisco OpenVuln
Cisco Firepower Extensible Operating System (FXOS) CVE-2024-20291 Cisco OpenVuln
Cisco Catalyst PON Series Switches CVE-2024-20291 Cisco OpenVuln
Cisco Nexus 9000 Series Switches CVE-2024-20291 Cisco OpenVuln
Cisco Nexus 3000 Series Switches CVE-2024-20291 Cisco OpenVuln
Cisco Nexus 3000 Series Switch CVE-2024-20291 Cisco OpenVuln
Cisco NX-OS Software CVE-2024-20291 Cisco OpenVuln