Cyber Resilience

CVE-2024-20291

Medium

Published: 29 February 2024

Published
29 February 2024
Modified
30 April 2025
KEV Added
Patch
CVSS Score v3.1 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
EPSS Score 0.1404 94.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20291 is a medium-severity Improper Access Control (CWE-284) vulnerability in Cisco Nx-Os. Its CVSS base score is 5.8 (Medium).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability exists in the access control list (ACL) programming for port channel subinterfaces on Cisco Nexus 3000 and 9000 Series Switches running in standalone NX-OS mode. The issue stems from incorrect hardware programming that occurs when configuration changes are applied to port channel member ports, allowing traffic that should be filtered by an ACL to pass through the device. The flaw is tracked under CWE-284 and CWE-863 and carries a CVSS 3.1 score of 5.8.

An unauthenticated remote attacker can exploit the weakness simply by sending crafted traffic through an affected switch. Successful exploitation grants the attacker access to network resources that an ACL applied to a port channel subinterface was intended to protect, without requiring any user interaction or elevated privileges.

The official Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-po-acl-TkyePgvL provides mitigation guidance and patch information for affected NX-OS releases. The associated EPSS score has remained flat at a peak of 0.1404 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an…

more

affected device. This vulnerability is due to incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access network resources that should be protected by an ACL that was applied on port channel subinterfaces.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
nx-os
9.3\(10\), 9.3\(11\), 9.3\(12\)

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-863

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

addresses: CWE-284 CWE-863

Supervision and review of access control activities directly detects and remediates improper access configurations or usages.

addresses: CWE-284 CWE-863

Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.

addresses: CWE-284 CWE-863

Requiring prior authorization for each remote access type prevents improper access control over remote connections.

addresses: CWE-284 CWE-863

Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.

addresses: CWE-284 CWE-863

Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems.

addresses: CWE-284 CWE-863

Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used.

addresses: CWE-284 CWE-863

Enforces rules governing access to the system and its data from external systems based on established trust relationships.

References