CVE-2024-20294 Overview
A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability stems from improper handling of specific fields in an LLDP frame, which can be exploited by sending crafted LLDP packets to an interface of an affected device.
An attacker could exploit this vulnerability by sending a crafted LLDP packet to an interface of an affected device and having an authenticated user retrieve LLDP statistics from the affected device through CLI show commands or Simple Network Management Protocol (SNMP) requests. A successful exploit could allow the attacker to cause the LLDP service to crash and stop running on the affected device. In certain situations, the LLDP crash may result in a reload of the affected device.
Critical Impact
This vulnerability requires adjacent network access (Layer 2 connectivity) and can cause LLDP service crashes or complete device reloads, potentially disrupting critical network infrastructure and fabric interconnects.
Affected Products
- Cisco Firepower Extensible Operating System (FXOS) versions 2.2.x through 2.14.x
- Cisco NX-OS Software versions 6.0 through 16.0
- Cisco Nexus 3000, 5000, 6000, 7000, and 9000 Series Switches
- Cisco MDS 9000 Series Multilayer Switches
- Cisco UCS 6200, 6300, 6400, and 6500 Series Fabric Interconnects
- Cisco Firepower 4100 and 9300 Series Appliances
Discovery Timeline
- February 29, 2024 - CVE-2024-20294 published to NVD
- May 21, 2025 - Last updated in NVD database
Technical Details for CVE-2024-20294
Vulnerability Analysis
This vulnerability (CWE-805: Buffer Access with Incorrect Length Value) exists in the LLDP implementation within Cisco FXOS and NX-OS software. The LLDP service improperly processes specific fields within LLDP frames, failing to correctly validate or handle the length values of certain TLV (Type-Length-Value) structures.
When the LLDP daemon receives a malformed packet containing crafted field values and an authenticated user subsequently queries LLDP statistics via CLI commands (such as show lldp neighbors or show lldp traffic) or through SNMP requests, the service attempts to process the corrupted data structures. This results in memory access errors that crash the LLDP service process.
The attack requires adjacent network access—meaning the attacker must be on the same Layer 2 network segment as the target device. This can be achieved through direct physical connection to an affected interface or through a Layer 2 tunnel configured to transport LLDP protocol traffic.
Root Cause
The root cause of this vulnerability is improper input validation in the LLDP frame parsing routines. Specifically, the LLDP service does not adequately validate the length fields of certain TLV structures before using these values to access buffer memory. When malformed LLDP frames with incorrect length values are received and stored, subsequent attempts to read or display this data can cause buffer over-reads or other memory access violations.
The vulnerability is classified under CWE-805 (Buffer Access with Incorrect Length Value), indicating that the software uses a sequential operation to read from or write to a buffer using an incorrect length value that causes it to access memory outside of the buffer's bounds.
Attack Vector
The attack vector requires the adversary to be positioned on an adjacent network segment with Layer 2 connectivity to the target device. The exploitation follows a two-phase approach:
Phase 1 - Packet Injection: The attacker sends specially crafted LLDP frames to an interface of the affected device. Since LLDP operates at Layer 2, the attacker must be directly connected to the target—either physically or through a Layer 2 tunnel configuration. No authentication is required for this phase.
Phase 2 - Trigger Condition: An authenticated user on the device must retrieve LLDP statistics. This occurs when:
- An administrator executes CLI commands like show lldp neighbors, show lldp neighbors detail, or show lldp traffic
- Network management systems poll LLDP statistics via SNMP queries
- Automated scripts or monitoring tools query LLDP data
When the corrupted LLDP data is processed during these operations, the LLDP service crashes. Depending on the device configuration and the specific crash conditions, this may result in just the LLDP service stopping or could trigger a complete device reload.
Detection Methods for CVE-2024-20294
Indicators of Compromise
- Unexpected LLDP service crashes or restarts observed in device logs (show logging)
- System messages indicating LLDP process failures or memory access violations
- Unusual volume of LLDP frames from unknown or unexpected MAC addresses
- Device reloads with core dumps referencing the LLDP process
Detection Strategies
- Monitor syslog for LLDP-related crash messages and service restart events
- Implement network monitoring to detect anomalous LLDP traffic patterns at Layer 2
- Configure SNMP traps to alert on process failures, particularly for the LLDP daemon
- Review core dump files for evidence of LLDP process crashes with memory violations
Monitoring Recommendations
- Enable LLDP logging and set appropriate severity levels to capture service state changes
- Deploy packet capture capabilities on management networks to analyze LLDP frame structures
- Implement baseline monitoring for LLDP neighbor counts and traffic statistics to detect anomalies
- Use network analytics tools to identify unexpected Layer 2 devices sending LLDP frames
How to Mitigate CVE-2024-20294
Immediate Actions Required
- Review the Cisco Security Advisory for the complete list of affected versions and fixed releases
- Prioritize patching devices on network segments accessible to untrusted Layer 2 adjacencies
- Consider disabling LLDP on interfaces where it is not required for network operations
- Implement physical security controls to limit unauthorized Layer 2 access to network infrastructure
Patch Information
Cisco has released software updates that address this vulnerability. The fixed software versions vary by platform and software train. Administrators should consult the Cisco Security Advisory at cisco-sa-nxos-lldp-dos-z7PncTgt to determine the appropriate fixed release for their specific deployment.
For Cisco FXOS, updates are available for versions 2.2.x through 2.14.x. For Cisco NX-OS, fixed releases cover multiple software trains including 6.x, 7.x, 8.x, 9.x, 10.x, and later versions depending on the platform.
Workarounds
- Disable LLDP globally or on specific interfaces where it is not operationally required using no feature lldp or no lldp transmit/no lldp receive interface commands
- Implement Layer 2 access controls to restrict which devices can send traffic to network infrastructure interfaces
- Limit LLDP neighbor relationships to known, trusted devices by using port security features where available
- Avoid querying LLDP statistics on production devices until patches can be applied
# Disable LLDP globally on NX-OS
configure terminal
no feature lldp
# Or disable LLDP on specific interfaces
interface Ethernet1/1
no lldp transmit
no lldp receive
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
