Cisco IOS XE Software for Catalyst 9000 Series Switches Denial of Service Vulnerability
TL;DR π
A denial of service vulnerability has been identified in Cisco IOS XE Software for Catalyst 9000 Series Switches. An unauthenticated, adjacent attacker can exploit this vulnerability by sending crafted Ethernet frames, causing an egress port to drop all outbound traffic. The highest CVSS score is 7.4 (High). Cisco has released fixed software, but no workarounds are available.
What happened π΅οΈββοΈ
A vulnerability exists in the handling of certain Ethernet frames within Cisco IOS XE Software for Catalyst 9000 Series Switches. This flaw allows an unauthenticated, adjacent attacker to send crafted Ethernet frames, which can block an egress port, resulting in a denial of service (DoS) condition. Once exploited, the affected port will drop all outbound traffic, severely impacting network operations.
Affected products π₯οΈ
The following products are affected if they are running a vulnerable release of Cisco IOS XE Software and have specific port configurations enabled:
- Catalyst 9200 Series Switches
- Catalyst 9300 Series Switches
- Catalyst 9400 Series Switches
- Catalyst 9500 Series Switches
- Catalyst 9600 Series Switches
- Meraki MS390 and Cisco Catalyst 9300 Series Switches (software earlier than Meraki CS 17.2.2)
- Cloud-Managed Hybrid Operating Mode for Catalyst Wireless LAN Controllers (software earlier than Release 17.15.4)
Fixed software π§
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 1.0 | Initial public release. | |
| Cisco IOS XE Software | Not specified |
Workarounds π§―
There are no workarounds available to mitigate this vulnerability.
Risk in context π―
The vulnerability has a CVSS score of 7.4, indicating a High risk. It is exploitable by unauthenticated, adjacent attackers, which means that an attacker must have physical or logical access to the local network. The impact is significant as it can lead to complete denial of service for affected ports. Immediate remediation is required through software updates.
Fast facts β‘
- Vulnerability: Denial of Service
- CVSS Score: 7.4 (High)
- Exploitation: Requires adjacent access, no authentication needed
- Impact: Egress port drops all outbound traffic
- Workarounds: None available
- Fixed Software: Available, check Cisco Software Checker
For leadership π§
This vulnerability poses a High risk (CVSS 7.4) due to its potential to cause significant disruption in network services. It requires adjacent access for exploitation, meaning attackers must be on the local network but do not need authentication. Immediate action is necessaryβpatch affected devices within 7 days to mitigate the risk. The operational impact is expected to be minimal, with a brief maintenance window and no configuration drift anticipated.
Now: Identify affected devices and plan for patching.
Next: Apply the fixed software updates as soon as possible.
Later: Monitor network traffic for any signs of exploitation attempts.