Cisco Family September 2024 Secondary Security Update Advisory
Overview
Cisco(https://www.cisco.com) has released a security update that fixes vulnerabilities in products it has been made. Users of affected systems are advised to update to the latest version.
Affected Products
CVE-2024-20437, CVE-2024-20455, CVE-2024-20436, CVE-2024-20480
- Cisco IOS XE Software
CVE-2024-20464
- Cisco IOS XE Software version: 17.13.1
- Cisco IOS XE Software version: 17.13.1a
CVE-2024-20433
- Cisco IOS Software
- Cisco IOS XE Software
CVE-2024-20467
- Cisco IOS XE Software version: 17.12.1
- Cisco IOS XE Software version: 17.12.1a
CVE-2024-20350
- Cisco Catalyst Center
Resolved Vulnerabilities
Vulnerability in the web-based management interface of Cisco IOS XE software that allows an unauthenticated remote attacker to conduct a cross-site request forgery (CSRF) attack and execute commands in the CLI on an affected device (CVE-2024-20437)
Vulnerability in the Protocol Independent Multicast (PIM) feature in Cisco IOS XE software that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device (CVE-2024-20464)
Vulnerability in the Resource Reservation Protocol (RSVP) feature in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to unexpectedly reload an affected device, resulting in a denial of service condition (CVE-2024-20433)
Vulnerability in the implementation of IPv4 fragmentation reassembly code in Cisco IOS XE software that could allow an unauthenticated remote attacker to cause a denial of service condition on an affected device (CVE-2024-20467)
Vulnerability in the SSH server in Cisco Catalyst Center (formerly Cisco DNA Center) that could allow an unauthenticated, remote attacker to impersonate a Cisco Catalyst Center appliance (CVE-2024-20350)
Vulnerability in the process of classifying traffic going to the Unified Threat Defense (UTD) component in Cisco IOS XE software that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device (CVE-2024-20455)
Vulnerability in the HTTP server feature in Cisco IOS XE software that could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device (CVE-2024-20436)
Vulnerability in the DHCP Snooping feature in Cisco IOS XE software that allows an unauthenticated, remote attacker to cause high CPU utilization on an affected device, resulting in a denial of service condition (CVE-2024-20480)
Vulnerability Patches
Product-specific Vulnerability Patches were made available in the September 25, 2024 update. Please refer to the product-specific information in the Referenced Sites below for “Affected Products” and “Fixed Software” to apply the patches.
Referenced Sites
[1] Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability
[2] Cisco IOS XE Software Protocol Independent Multicast Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pim-APbVfySJ
[3] Cisco IOS and IOS XE Software Resource Reservation Protocol Denial of Service Vulnerability
[4] Cisco IOS XE Software IPv4 Fragmentation Reassembly Denial of Service Vulnerability
[5] Cisco Catalyst Center Static SSH Host Key Vulnerability
[6] Cisco Catalyst SD-WAN Routers Denial of Service Vulnerability
[7] Cisco IOS XE Software HTTP Server Telephony Services Denial of Service Vulnerability
[8] Cisco IOS XE Software SD-Access Fabric Edge Node Denial of Service Vulnerability