CVE-2024-20294

{"id": "CVE-2024-20294", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.1}]}, "published": "2024-02-29T01:43:59.207", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-lldp-dos-z7PncTgt", "source": "ykramarz@cisco.com"}, {"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-lldp-dos-z7PncTgt", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-805"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device.\r\n\r This vulnerability is due to improper handling of specific fields in an LLDP frame. An attacker could exploit this vulnerability by sending a crafted LLDP packet to an interface of an affected device and having an authenticated user retrieve LLDP statistics from the affected device through CLI show commands or Simple Network Management Protocol (SNMP) requests. A successful exploit could allow the attacker to cause the LLDP service to crash and stop running on the affected device. In certain situations, the LLDP crash may result in a reload of the affected device.\r\n\r Note: LLDP is a Layer 2 link protocol. To exploit this vulnerability, an attacker would need to be directly connected to an interface of an affected device, either physically or logically (for example, through a Layer 2 Tunnel configured to transport the LLDP protocol)."}, {"lang": "es", "value": "Una vulnerabilidad en la funci\u00f3n Link Layer Discovery Protocol (LLDP) del software Cisco FXOS y el software Cisco NX-OS podr\u00eda permitir que un atacante adyacente no autenticado cause una condici\u00f3n de denegaci\u00f3n de servicio (DoS) en un dispositivo afectado. Esta vulnerabilidad se debe al manejo inadecuado de campos espec\u00edficos en un framework LLDP. Un atacante podr\u00eda aprovechar esta vulnerabilidad enviando un paquete LLDP manipulado a una interfaz de un dispositivo afectado y haciendo que un usuario autenticado recupere estad\u00edsticas LLDP del dispositivo afectado a trav\u00e9s de comandos show CLI o solicitudes del Protocolo simple de administraci\u00f3n de red (SNMP). Un exploit exitoso podr\u00eda permitir al atacante provocar que el servicio LLDP falle y deje de ejecutarse en el dispositivo afectado. En determinadas situaciones, el fallo de LLDP puede provocar una recarga del dispositivo afectado. Nota: LLDP es un protocolo de enlace de Capa 2. Para aprovechar esta vulnerabilidad, un atacante necesitar\u00eda estar conectado directamente a una interfaz de un dispositivo afectado, ya sea f\u00edsica o l\u00f3gicamente (por ejemplo, a trav\u00e9s de un t\u00fanel de capa 2 configurado para transportar el protocolo LLDP)."}], "lastModified": "2024-11-21T08:52:14.550", "sourceIdentifier": "ykramarz@cisco.com"}