CVE-2024-20321 in NX-OS
Summary
by MITRE • 02/29/2024
A vulnerability in the External Border Gateway Protocol (eBGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
This vulnerability exists because eBGP traffic is mapped to a shared hardware rate-limiter queue. An attacker could exploit this vulnerability by sending large amounts of network traffic with certain characteristics through an affected device. A successful exploit could allow the attacker to cause eBGP neighbor sessions to be dropped, leading to a DoS condition in the network.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/03/2024
The vulnerability identified as CVE-2024-20321 represents a critical denial of service weakness within Cisco NX-OS Software's external border gateway protocol implementation. This flaw specifically targets the eBGP processing mechanisms that govern how network devices communicate routing information across autonomous systems. The vulnerability stems from the improper allocation of eBGP traffic to shared hardware rate-limiting queues, creating a single point of failure that can be exploited by unauthenticated remote attackers without requiring any privileged access credentials.
The technical exploitation mechanism relies on the attacker's ability to manipulate eBGP traffic characteristics to overwhelm the shared hardware rate-limiter queue. When malicious traffic patterns are directed through the affected device, the queue becomes saturated and unable to properly process legitimate eBGP neighbor sessions. This occurs because the hardware infrastructure does not adequately distinguish between different types of eBGP traffic or implement proper traffic prioritization mechanisms. The vulnerability manifests as a cascading failure where legitimate routing updates are dropped or delayed, causing eBGP sessions to terminate unexpectedly and resulting in complete network disruption.
From an operational impact perspective, this vulnerability presents a severe threat to network availability and stability, particularly in environments where eBGP is critical for external connectivity and routing operations. Network administrators face the challenge of maintaining routing integrity while dealing with potential DoS attacks that can compromise entire routing domains. The vulnerability affects the core routing functionality of network infrastructure, potentially causing widespread service disruption across multiple network segments that depend on the affected device for external connectivity. The lack of authentication requirements for exploitation means that any remote attacker with network access can potentially trigger the vulnerability, making it particularly dangerous in publicly accessible network environments.
This vulnerability aligns with CWE-400, which addresses "Uncontrolled Resource Consumption," and represents a classic example of resource exhaustion through improper queue management. The attack pattern follows the MITRE ATT&CK framework's T1498, "Network Denial of Service," where adversaries specifically target network infrastructure to disrupt services. Organizations implementing Cisco NX-OS solutions should prioritize immediate mitigation through firmware updates from Cisco, implementing traffic filtering mechanisms to limit eBGP traffic patterns, and establishing monitoring protocols to detect anomalous traffic behavior. Network segmentation and rate-limiting policies should be strengthened to prevent exploitation, while regular security assessments should verify the effectiveness of implemented controls against similar vulnerabilities in network infrastructure components.