Cisco released security updates on September 11, 2024, addressing several vulnerabilities in its IOS XR software. These vulnerabilities were identified through Cisco’s semiannual security advisory publication, which is typically released in March and September. The September 2024 advisory includes seven security advisories that detail eight vulnerabilities, all of which could potentially be exploited by cyber threat actors. Exploiting these flaws could allow attackers to gain control over affected systems or disrupt their operations. Cisco strongly advises users and administrators to review these advisories and apply the necessary software updates.
Among the vulnerabilities highlighted, CVE-2024-20398 is a high-severity privilege escalation issue in the Cisco IOS XR Software CLI, with a CVSS base score of 8.8. This flaw could allow an authenticated attacker to escalate their privileges and gain unauthorized access to sensitive system functions. Another significant vulnerability, CVE-2024-20304, involves memory exhaustion in UDP packets, which could lead to a denial of service (DoS) by consuming excessive system resources. This vulnerability has a CVSS base score of 8.6, underscoring its criticality.
The advisory also covers vulnerabilities in the Cisco Routed Passive Optical Network (PON) Controller, identified as CVE-2024-20483 and CVE-2024-20489, both of which have a CVSS score of 8.4. These vulnerabilities could allow remote attackers to execute arbitrary code or cause a DoS. Additionally, Cisco IOS XR software suffers from a vulnerability in its Network Convergence System (CVE-2024-20317) that could result in a high-severity denial of service. Another issue, CVE-2024-20406, affects the Segment Routing for Intermediate System-to-Intermediate System protocol, which could also lead to a DoS attack.
Two other vulnerabilities identified in the advisory, CVE-2024-20343 and CVE-2024-20390, have lower severity ratings but still pose significant risks. CVE-2024-20343 allows for arbitrary file reading in the CLI, while CVE-2024-20390 affects the Dedicated XML Agent TCP, enabling potential DoS attacks. Both vulnerabilities are classified as medium severity with CVSS scores of 5.5 and 5.3, respectively. Cisco urges all users of affected Cisco IOS XR software versions to implement the necessary updates to mitigate these vulnerabilities and ensure the security of their networks.
Reference:
