CVE-2024-0101 Overview
CVE-2024-0101 is a denial-of-service vulnerability affecting NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2, and MetroX-3 XC network switch platforms. The flaw resides in the ipfilter component, where improper filter definitions allow a remote, unauthenticated attacker to send crafted traffic that causes the switch to fail. Successful exploitation results in service disruption to the affected network infrastructure. The vulnerability is classified under [CWE-693] (Protection Mechanism Failure) and carries a network-based attack vector with no authentication required.
Critical Impact
A remote attacker can trigger a switch failure without authentication, leading to a denial-of-service condition across NVIDIA Mellanox switching fabric.
Affected Products
- NVIDIA Mellanox OS (MLNX-OS) and MLNX-GW
- NVIDIA ONYX and NVDA-OS XC (MetroX-3 XC)
- NVIDIA Skyway hardware platforms including MGA100-HS2, TQ8100-HS2F, TQ8200-HS2F, and MTQ8400-HS2R
Discovery Timeline
- 2024-08-08 - CVE-2024-0101 published to NVD
- 2024-12-26 - Last updated in NVD database
Technical Details for CVE-2024-0101
Vulnerability Analysis
The vulnerability stems from improper ipfilter definitions within the affected NVIDIA Mellanox switch operating systems. The ipfilter mechanism enforces network-layer access control on management and control-plane traffic. When the filter definitions are constructed incorrectly, certain inbound packets bypass the protection logic or trigger unexpected processing paths. This protection mechanism failure allows an attacker to send crafted network traffic that destabilizes the switch.
The vulnerability impacts availability only. Confidentiality and integrity are not affected, meaning no data is disclosed or modified during exploitation. The EPSS probability is approximately 0.47%, placing it in the 64th percentile for likelihood of exploitation activity.
Root Cause
The root cause is a flaw in how ipfilter rules are defined and applied within Mellanox OS, ONYX, Skyway firmware, and the NVDA-OS XC platform. Improper rule definitions break the expected filtering contract, classified as [CWE-693] Protection Mechanism Failure. As a result, packets that should be filtered or rate-limited are instead processed in a way that exhausts switch resources or causes a fault.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker with reachability to the switch management or control plane can transmit malicious traffic targeting the misconfigured filter path. Because switches are commonly exposed within data center fabrics and high-performance computing environments, exposure depends on segmentation of management networks. No public proof-of-concept or active exploitation has been reported. Refer to the NVIDIA security advisory for vendor-confirmed technical details.
Detection Methods for CVE-2024-0101
Indicators of Compromise
- Unexpected reboots, control-plane failures, or management interface unresponsiveness on Mellanox, ONYX, Skyway, or MetroX switches.
- Sudden loss of fabric connectivity or InfiniBand/Ethernet traffic interruptions originating from a single switch node.
- Surges of inbound traffic targeting the switch management IP that do not match expected administrative sources.
Detection Strategies
- Monitor switch syslog and SNMP traps for ipfilter rule evaluation errors, process crashes, and watchdog-triggered restarts.
- Compare running ipfilter configurations against vendor-recommended baselines to identify malformed or overly permissive rules.
- Correlate switch availability events with network flow telemetry to identify traffic patterns that precede failures.
Monitoring Recommendations
- Forward switch logs and SNMP telemetry to a centralized SIEM or data lake for continuous availability monitoring.
- Alert on repeated management-plane connection failures or BFD/LLDP neighbor flaps that may indicate exploitation attempts.
- Track baseline traffic volumes to management interfaces and flag anomalous spikes from untrusted sources.
How to Mitigate CVE-2024-0101
Immediate Actions Required
- Apply the firmware updates published in the NVIDIA security advisory (Answer ID 5559) for all affected Mellanox OS, ONYX, Skyway, and MetroX-3 XC devices.
- Restrict management-plane reachability to dedicated, segmented administrative networks only.
- Audit existing ipfilter rule sets on all affected switches and remove or correct any improper definitions.
Patch Information
NVIDIA has released fixed firmware versions for the affected platforms. Consult the vendor advisory at NVIDIA Customer Support Answer 5559 for specific fixed releases corresponding to MLNX-OS, MLNX-GW, ONYX, NVDA-OS XC, and Skyway hardware models such as MGA100-HS2, TQ8100-HS2F, TQ8200-HS2F, and MTQ8400-HS2R.
Workarounds
- Place affected switches behind an upstream access control list that blocks untrusted traffic from reaching management and control-plane interfaces.
- Enforce strict source-IP allow-listing for SSH, HTTPS, SNMP, and other administrative protocols on the switch.
- Disable unused management services and protocols to reduce the attack surface exposed by the ipfilter subsystem.
# Configuration example: restrict management access to a trusted subnet
# Replace 10.10.10.0/24 with your administrative management subnet
configure terminal
ip access-list mgmt-acl
permit tcp 10.10.10.0 /24 any eq 22
permit tcp 10.10.10.0 /24 any eq 443
deny ip any any
exit
interface mgmt0
ip access-group mgmt-acl in
exit
write memory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
