Cisco IOS XR Software Flaw Let Attackers Exhaust Memory, DoS & Elevate Privileges

A critical vulnerability has been identified in the multicast traceroute version 2 (Mtrace2) feature of Cisco IOS XR Software, posing significant risks to network stability and security.

This flaw allows unauthenticated, remote attackers to exhaust the UDP packet memory of affected devices, potentially leading to a denial of service (DoS) condition and privilege escalation.

The vulnerability arises from improper handling of packet memory by the Mtrace2 code. Attackers can exploit this by sending specially crafted packets to the affected device, which can exhaust the device’s incoming UDP packet memory.

This exhaustion prevents the device from processing higher-level UDP-based protocol packets, thereby causing a DoS condition. Notably, this vulnerability can be exploited using both IPv4 and IPv6 protocols.

CVE-2024-20304 affects Cisco IOS XR Software and is related to the handling of specific Ethernet frames on various Cisco Network Convergence System (NCS) platforms. This flaw allows an unauthenticated, adjacent attacker to cause critical priority packets to be dropped, resulting in a denial of service (DoS) condition.

CVE-2024-20317 affects Cisco IOS XR Software, specifically targeting the handling of certain Ethernet frames on various Cisco Network Convergence System (NCS) platforms. This flaw allows an unauthenticated, adjacent attacker to cause critical priority packets to be dropped, leading to a denial of service (DoS) condition.

CVE-2024-20406 is a vulnerability in Cisco IOS XR Software that affects the handling of specific Ethernet frames on various Cisco Network Convergence System (NCS) platforms. This flaw allows an unauthenticated, adjacent attacker to cause critical priority packets to be dropped, resulting in a denial of service (DoS) condition.

CVE-2024-20398 is a vulnerability affecting Cisco IOS XR Software, specifically in the handling of certain Ethernet frames on various Cisco Network Convergence System (NCS) platforms. This flaw allows an unauthenticated, adjacent attacker to cause critical priority packets to be dropped, resulting in a denial of service (DoS) condition.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Affected Products

The vulnerability impacts Cisco devices running certain releases of Cisco IOS XR Software, specifically:

• Releases 7.7.1 through 7.11.2: Affected if the multicast RPM Packet Manager is installed and active, regardless of multicast configuration.
• Releases 24.1.1 and later: Affected if the multicast RPM is installed and active and the device has a multicast configuration.

Devices running releases earlier than 7.7.1 are not affected. To determine if a device is vulnerable, administrators can use specific commands to check if the multicast RPM is active and if the device is processing Mtrace2 packets.

Cisco has released software updates to address this vulnerability, but no workarounds are available.

However, some mitigations can help reduce the risk:

• Deactivate the Multicast RPM: If multicast configuration is not needed, deactivate and remove the multicast RPM to close the vulnerable UDP port.
• Implement Infrastructure Access Control Lists (iACLs): Deploy iACLs to enforce traffic policies and minimize the risk and impact of direct infrastructure attacks.

For administrators, using the show install active summary | include mcast command can verify if the multicast RPM is active, and the show lpts pifib hardware entry brief location | include 33433 command can check if Mtrace2 processing is enabled.

Cisco has provided free software updates to address this vulnerability. Customers with service contracts are advised to obtain these updates through their usual channels. For those without service contracts, contacting the Cisco Technical Assistance Center (TAC) is recommended to obtain necessary upgrades.

Administrators are urged to apply these updates promptly to safeguard their network infrastructure against potential exploits.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar