Attackers can crash Cisco routers via DoS attacks
Due to several security vulnerabilities in Cisco's network operating system IOS XE, various devices are vulnerable. Patches are available for download.
(Image: heise online)
To prevent attackers from exploiting vulnerabilities, network admins with Cisco devices should update the software as quickly as possible. In most cases, devices crash after successful attacks.
As the list of affected devices and security updates is beyond the scope of this post, admins can find this information in the alerts linked below this post. So far there are no reports as to whether there are already attacks.
Videos by heise
Paralyze routers with a DoS attack
Various router models are at risk from the security vulnerabilities in the IOS and IOS XE network operating systems. Due to insufficient checks in the context of Unified Threat Defense (UTD), attackers can use prepared data traffic to exploit a vulnerability (CVE-2024-20455"high").
If such an attack succeeds, it results in a DoS state. In such a case, devices crash and, in the worst case, are no longer available without manual intervention. For such an attack to work, however, UTD must be active. Specifically, 1000 Series Integrated Services Routers (ISRs) and Catalyst 8500L Edge Platforms are at risk.
Other possible attacks
Attackers can also use a vulnerability (CVE-2024-20437"high") in the web-based management interface of IOS XE to execute their own commands. To do this, however, a victim with authentication must click on a link prepared by the attacker.
Due to a static SSH key in Catalyst Center, attackers can connect to connections as a man-in-the-middle (CVE-2024-20350"high").
List sorted by threat level in descending order:
- Catalyst SD-WAN Routers Denial of Service
- IOS and IOS XE Software Resource Reservation Protocol Denial of Service
- IOS XE Software Protocol Independent Multicast Denial of Service
- IOS XE Software SD-Access Fabric Edge Node Denial of Service
- IOS XE Software HTTP Server Telephony Services Denial of Service
- IOS XE Software IPv4 Fragmentation Reassembly Denial of Service
- Catalyst Center Static SSH Host Key
- IOS and IOS XE Software Web UI Cross-Site Request Forgery
- Catalyst SD-WAN Manager Cross-Site Scripting
- SD-WAN vEdge Software UDP Packet Validation Denial of Service
- IOS Software on Cisco Industrial Ethernet Series Switches Access Control List Bypass
- Unified Threat Defense Snort Intrusion Prevention System Engine for Cisco IOS XE Software Security Policy Bypass and Denial of Service
- IOS XE Software for Wireless Controllers CWA Pre-Authentication ACL Bypass
- Catalyst 9000 Series Switches Denial of Service
(des)
