August 29, 2024 at 08:06AM
Cisco released patches for multiple high and medium-severity vulnerabilities in its NX-OS software, including a high-severity flaw in DHCPv6 relay agent allowing remote unauthenticated attackers to cause a denial-of-service condition. The patches also address command injection and sandbox escape issues, as well as medium-severity bugs in APIC, affecting certain Cisco devices. Cisco reports no known exploits.
Based on the meeting notes, the key takeaways are:
– Cisco has announced patches for multiple NX-OS software vulnerabilities as part of its semiannual FXOS and NX-OS security advisory bundled publication.
– The most severe vulnerability is CVE-2024-20446, a high-severity flaw in the DHCPv6 relay agent of NX-OS that could be exploited by remote, unauthenticated attackers to cause a denial-of-service (DoS) condition.
– The vulnerabilities affect Nexus 3000, 7000, and 9000 series switches in standalone NX-OS mode if they run a vulnerable NX-OS release, if the DHCPv6 relay agent is enabled, and if they have at least one IPv6 address configured.
– The NX-OS patches also address medium-severity command injection defect in the CLI, two medium-risk flaws allowing code execution and privilege escalation, and medium-severity sandbox escape issues in the Python interpreter of NX-OS.
– Cisco also released fixes for two medium-severity bugs in the Application Policy Infrastructure Controller (APIC).
– Cisco has reported that it is not aware of any of these vulnerabilities being exploited in the wild.
For additional details, one can refer to Cisco’s security advisories page and the August 28 semiannual bundled publication.