Cisco IOS XE Software Catalyst 9000 Series Switches DoS (cisco-sa-vlan-dos-27Pur5RT)

medium Nessus Plugin ID 207741

Synopsis

The remote device is missing a vendor-supplied security patch

Description

According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability.

- A vulnerability in Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on the control plane of an affected device. This vulnerability is due to improper handling of frames with VLAN tag information. An attacker could exploit this vulnerability by sending crafted frames to an affected device. A successful exploit could allow the attacker to render the control plane of the affected device unresponsive. The device would not be accessible through the console or CLI, and it would not respond to ping requests, SNMP requests, or requests from other control plane protocols. Traffic that is traversing the device through the data plane is not affected. A reload of the device is required to restore control plane services. (CVE-2024-20434)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwi34160

See Also

http://www.nessus.org/u?14cdd60a

http://www.nessus.org/u?e0341eea

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwi34160

Plugin Details

Severity: Medium

ID: 207741

File Name: cisco-sa-vlan-dos-27Pur5RT-iosxe.nasl

Version: 1.4

Type: combined

Family: CISCO

Published: 9/25/2024

Updated: 10/4/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 3.3

Temporal Score: 2.4

Vector: CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2024-20434

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:cisco:ios_xe

Required KB Items: Host/Cisco/IOS-XE/Version, Host/Cisco/IOS-XE/Model

Exploit Ease: No known exploits are available

Patch Publication Date: 9/25/2024

Vulnerability Publication Date: 9/25/2024

Reference Information

CVE: CVE-2024-20434

CWE: 190

CISCO-SA: cisco-sa-vlan-dos-27Pur5RT

IAVA: 2024-A-0592

CISCO-BUG-ID: CSCwi34160