CVE-2024-20291 is a newly disclosed vulnerability that affects the heart of many data center deployments: Cisco Nexus 300 and 900 Series Switches running NX-OS in standalone mode. This flaw focuses on a misconfiguration of Access Control Lists (ACLs) for port channel subinterfaces. If you rely on ACLs for strong security boundaries, this is a must-read since it essentially allows remote attackers to slip traffic right through your defenses—even when it appears you’ve done everything right.
In this post, I’ll explain the flaw in plain American English, show you how the vulnerability works, and provide some exclusive hands-on details, along with mitigation advice.
What is CVE-2024-20291?
Put simply: There’s a bug in how certain Cisco Nexus switches (specifically 300 and 900 series) apply ACLs to port channel subinterfaces. When you change a port channel’s member ports (adding or removing them), the hardware may fail to reprogram ACLs correctly. This mistake means some traffic that should be blocked will, in fact, pass through—unseen, unchecked, unfiltered.
No authentication is required. The attacker just needs to be somewhere on a network segment that sends traffic through the vulnerable device.
More details
- Affected devices: Cisco Nexus 300/900 Series (standalone NX-OS mode)
Attack vector: Remote, unauthenticated; merely send traffic through the vulnerable switch
- Potential impact: Bypass of ACLs applied on port channel subinterfaces; unauthorized network access
Cisco’s advisory:
Original Security Advisory – Cisco
The Short Version
Imagine you’ve configured a port channel on your switch (say, for high availability or throughput), and set up ACLs to block certain traffic. When you tweak the port channel—say, you unplug a cable or reassign a member port—the switch may *forget* to properly enforce the ACL on the subinterface. Voila! The door is now open.
ACLs work as expected.
3. Change to port channel membership (add/remove a member port) is made—very common in maintenance.
Traffic that was previously blocked—like ping packets—can now pass through freely.
6. Remote attacker (on the outside) sends packets that *should* be blocked, but they sail straight to the protected network.
Code & Configuration Example
Let’s look at this in action with simplified config snippets.
1. Initial (Safe) Configuration
Suppose you want to block all ping traffic to a sensitive server VLAN.
! Define the ACL
ip access-list BLOCK_ICMP
deny icmp any any
permit ip any any
! Assign it to the port channel subinterface
interface port-channel10.100
ip access-group BLOCK_ICMP in
Now, suppose an admin wants to do maintenance
! Remove an interface from the port channel:
no interface Ethernet1/1 channel-group 10
! Or add a new one:
interface Ethernet1/2
channel-group 10 mode active
Boom: the ACL programming now fails for port-channel10.100.
3. Exploitation
Attacker sends ICMP packets from outside. Instead of being dropped by BLOCK_ICMP, they’re forwarded to the target VLAN.
Here’s a scapy example from an attacker’s perspective
from scapy.all import *
send(IP(dst="TARGET_IP")/ICMP())
And behind the scenes, the switch is simply letting it through, exposing sensitive resources.
Why Does This Matter?
Attackers can traverse your segemented networks, reach restricted servers or management interfaces, or even escalate attacks from previously trusted segments. In multi-tenant environments (like data centers or cloud), this is especially severe—one compromise could endanger others.
1. Patch & Upgrade
Cisco has produced fixes.
Check Cisco’s advisory page for patched NX-OS releases.
Check your Nexus switch to see if ACLs are programmed correctly
show system internal access-list interface port-channel10.100 ingress
If the ACL entries are missing or incorrect, you’re exposed.
Resources and Original References
- Cisco Advisory: CVE-2024-20291
- Community Discussion: Reddit/Cisco
Summary Table
| Severity | Remote/Local | Authentication Needed | Affected Devices | Available Patch? |
|-----------------|-------------|----------------------|-------------------|------------------|
| High | Remote | No | Nexus 3k/9k NX-OS | Yes |
Final Words
CVE-2024-20291 is a powerful reminder: hardware and software need to work in lock-step for security controls to be effective. If you rely on Cisco Nexus switches and use ACLs with port channel subinterfaces, review your topology and patch immediately. Don’t let this easy-to-exploit hole become your next headline.
More Info
- Cisco Official Advisory: Link
- CVE Details: Link
Author:
Security Researcher – (Exclusive Analysis, June 2024)
Timeline
Published on: 02/29/2024 01:43:59 UTC
Last modified on: 02/29/2024 13:49:29 UTC