CVE-2024-20291: Cisco NX-OS ACL Bypass Vulnerability

CVE-2024-20291 Overview

A vulnerability in the access control list (ACL) programming for port channel subinterfaces of Cisco Nexus 3000 and 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to send traffic that should be blocked through an affected device. This authorization bypass vulnerability enables attackers to circumvent security controls and access network resources that should be protected by properly configured ACLs.

The vulnerability stems from incorrect hardware programming that occurs when configuration changes are made to port channel member ports. An attacker could exploit this vulnerability by attempting to send traffic through an affected device, potentially gaining unauthorized access to protected network segments.

Critical Impact

Unauthenticated remote attackers can bypass ACL protections on port channel subinterfaces, allowing unauthorized network traffic to pass through affected Cisco Nexus switches and access protected resources.

Affected Products

• Cisco NX-OS versions 9.3(10), 9.3(11), 9.3(12)
• Cisco Nexus 3000 Series Switches in standalone NX-OS mode
• Cisco Nexus 9000 Series Switches in standalone NX-OS mode

Discovery Timeline

• February 29, 2024 - CVE-2024-20291 published to NVD
• April 30, 2025 - Last updated in NVD database

Technical Details for CVE-2024-20291

Vulnerability Analysis

This vulnerability represents an authorization bypass (CWE-863) and improper access control (CWE-284) issue affecting the ACL enforcement mechanism on Cisco Nexus switches. The flaw exists in how the switch hardware processes ACL rules applied to port channel subinterfaces.

When administrators make configuration changes to port channel member ports, the hardware programming responsible for enforcing ACLs fails to properly update. This creates a window where traffic that should be denied by configured ACL rules is instead permitted to pass through the device. The vulnerability is particularly concerning because it affects the foundational security control mechanism that organizations rely on for network segmentation and access control.

The impact allows attackers to reach network resources that administrators intended to be inaccessible from certain network segments. This can undermine network segmentation strategies and potentially expose sensitive internal systems to unauthorized access.

Root Cause

The root cause of this vulnerability is incorrect hardware programming that occurs during configuration changes to port channel member ports. When port channel configurations are modified, the ACL rules applied to port channel subinterfaces are not properly programmed into the switching hardware. This results in a mismatch between the intended ACL policy (as shown in the software configuration) and the actual hardware-enforced policy.

The issue specifically affects port channel subinterfaces rather than standard physical interfaces or the main port channel interface. This indicates that the hardware programming logic for subinterface ACLs has a defect in how it handles configuration state transitions for port channel members.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:

1. Identifying a Cisco Nexus 3000 or 9000 Series switch running a vulnerable NX-OS version
2. Determining that the target switch uses port channel subinterfaces with ACLs applied
3. Waiting for or triggering a configuration change to port channel member ports
4. Sending traffic that would normally be blocked by the ACL through the affected port channel subinterface

The exploitation is straightforward as it simply involves sending network traffic that the ACL should block. If the vulnerability condition exists, the traffic passes through without being filtered.

Since this is a hardware programming issue with network traffic bypass, exploitation involves sending packets through the affected switch interface. The vulnerability allows network traffic that should be denied by ACL rules to pass through when configuration changes have been made to port channel member ports. See the Cisco Security Advisory for detailed technical information and verification steps.

Detection Methods for CVE-2024-20291

Indicators of Compromise

• Unexpected network traffic reaching protected segments that should be blocked by port channel subinterface ACLs
• Network monitoring alerts showing connections from sources that ACL rules should deny
• Traffic analysis revealing access to restricted resources after port channel configuration changes
• Discrepancies between configured ACL policies and observed traffic patterns on port channel subinterfaces

Detection Strategies

• Compare the running ACL configuration against actual traffic patterns using NetFlow or sFlow data to identify policy violations
• Implement network monitoring to detect traffic flows that should be blocked by configured ACLs on port channel subinterfaces
• Monitor switch configuration change logs and correlate with unexpected traffic patterns
• Use packet capture at critical network boundaries to verify ACL enforcement is functioning correctly

Monitoring Recommendations

• Enable syslog monitoring for port channel configuration changes on affected Nexus switches
• Implement network segmentation verification testing after any configuration changes to port channel members
• Deploy network intrusion detection systems to identify traffic patterns that violate expected ACL policies
• Regularly audit ACL effectiveness by testing denied traffic paths through port channel subinterfaces

How to Mitigate CVE-2024-20291

Immediate Actions Required

• Identify all Cisco Nexus 3000 and 9000 Series switches running NX-OS versions 9.3(10), 9.3(11), or 9.3(12) in your environment
• Review switch configurations to identify devices using ACLs on port channel subinterfaces
• Prioritize patching for switches that serve as security boundaries or segment sensitive network resources
• Consider temporarily applying ACLs to individual physical interfaces as an interim security measure

Patch Information

Cisco has released software updates that address this vulnerability. Administrators should upgrade to a fixed NX-OS release as documented in the Cisco Security Advisory. The advisory provides specific fixed release information and upgrade guidance for affected platforms.

Customers should obtain fixed software through their regular software update channels or contact the Cisco Technical Assistance Center (TAC) for assistance with software upgrades.

Workarounds

• Apply ACLs directly to individual physical interfaces instead of port channel subinterfaces where feasible
• Minimize configuration changes to port channel member ports until patches are applied
• Implement additional network security controls such as firewalls at network boundaries to provide defense-in-depth
• After any port channel configuration changes, verify ACL enforcement by testing blocked traffic paths

# Verify current NX-OS version on affected switches
show version

# Review port channel subinterface ACL configurations
show running-config interface port-channel
show access-lists summary

# Check for port channel configuration and ACL bindings
show port-channel summary
show ip access-lists interface port-channel