CVE-2024-20433 Overview
A vulnerability in the Resource Reservation Protocol (RSVP) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to a buffer overflow when processing crafted RSVP packets. An attacker could exploit this vulnerability by sending RSVP traffic to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.
Critical Impact
Unauthenticated remote attackers can cause network infrastructure devices to reload by sending specially crafted RSVP packets, potentially disrupting critical network services and connectivity.
Affected Products
- Cisco IOS (versions 12.0 through 15.9)
- Cisco IOS XE (versions 3.3.0sg through 17.14.1a)
- Network devices running RSVP feature
Discovery Timeline
- September 25, 2024 - CVE-2024-20433 published to NVD
- October 3, 2024 - Last updated in NVD database
Technical Details for CVE-2024-20433
Vulnerability Analysis
This vulnerability affects the Resource Reservation Protocol (RSVP) implementation in Cisco IOS and IOS XE Software. RSVP is a signaling protocol used to reserve resources across a network for the purpose of providing Quality of Service (QoS) guarantees for network flows. The vulnerability exists in how the RSVP feature processes incoming RSVP packets.
When a crafted RSVP packet is received by a vulnerable device, the packet processing code fails to properly validate the size or content of the data being processed, leading to a stack-based buffer overflow condition (CWE-121). This out-of-bounds write (CWE-787) corrupts memory on the network device's stack, causing the device to crash and reload. The attack requires no authentication and can be executed remotely over the network, making it particularly dangerous for exposed network infrastructure.
The vulnerability affects a wide range of Cisco IOS versions spanning from version 12.0 to 15.9, as well as Cisco IOS XE versions from 3.3.0sg through 17.14.1a, indicating this is a longstanding issue in the RSVP implementation that affects both legacy and current network operating systems.
Root Cause
The root cause of this vulnerability is a stack-based buffer overflow (CWE-121) in the RSVP packet processing code. When processing RSVP traffic, the software does not properly validate input boundaries before writing data to a fixed-size buffer on the stack. This allows an attacker to overflow the buffer with data from a specially crafted RSVP packet, leading to memory corruption and an out-of-bounds write condition (CWE-787). The corrupted stack causes the device to crash and initiate an unexpected reload.
Attack Vector
The attack is network-based and can be executed by an unauthenticated remote attacker. The attacker must be able to send RSVP packets to the target device, which typically uses IP protocol number 46 and can traverse network paths where RSVP is enabled. The attack flow involves:
- Attacker identifies a Cisco IOS or IOS XE device with RSVP enabled
- Attacker crafts malicious RSVP packets designed to trigger the buffer overflow
- Attacker sends the crafted packets to the target device
- The device's RSVP processing code attempts to handle the malformed packet
- Buffer overflow occurs, corrupting the stack memory
- Device crashes and reloads, causing service disruption
The attack requires no user interaction and can be launched with low complexity, making it a significant threat to network infrastructure where RSVP is deployed for QoS reservations.
Detection Methods for CVE-2024-20433
Indicators of Compromise
- Unexpected device reloads with crashinfo files indicating RSVP-related memory corruption
- Syslog messages showing device crashes during RSVP packet processing
- Abnormal RSVP traffic patterns or malformed RSVP packets captured in network monitoring
- Core dumps indicating stack overflow or memory corruption in RSVP processing functions
Detection Strategies
- Monitor network devices for unexpected reloads and analyze crashinfo files for RSVP-related indicators
- Implement network traffic analysis to detect anomalous or malformed RSVP packets (IP protocol 46)
- Configure SNMP traps and syslog forwarding to capture and alert on device reload events
- Use intrusion detection systems (IDS) with signatures for malformed RSVP packet detection
Monitoring Recommendations
- Enable logging for RSVP-related events and forward logs to a centralized SIEM solution
- Monitor device uptime metrics and create alerts for unexpected reloads
- Implement baseline monitoring for RSVP traffic volumes to detect anomalous patterns
- Review network device crashinfo and core dump files regularly for signs of exploitation attempts
How to Mitigate CVE-2024-20433
Immediate Actions Required
- Review Cisco Security Advisory for affected version details and fixed releases
- Identify all Cisco IOS and IOS XE devices in your environment running vulnerable versions
- Prioritize patching for internet-facing or externally accessible network devices
- If RSVP is not required, disable the feature as a temporary mitigation
Patch Information
Cisco has released security patches addressing this vulnerability. Organizations should consult the Cisco Security Advisory for specific fixed software versions applicable to their deployment. The advisory provides detailed version-specific upgrade paths for both Cisco IOS and Cisco IOS XE Software.
Workarounds
- Disable RSVP on interfaces where it is not operationally required to eliminate the attack surface
- Implement infrastructure access control lists (iACLs) to restrict RSVP traffic (IP protocol 46) to trusted sources only
- Use control plane policing (CoPP) to rate-limit or block RSVP traffic from untrusted sources
- Segment the network to isolate devices running RSVP from untrusted network segments
# Example: Disable RSVP on an interface (Cisco IOS/IOS XE)
interface GigabitEthernet0/0
no ip rsvp bandwidth
# Example: ACL to restrict RSVP traffic
ip access-list extended BLOCK-RSVP
deny 46 any any
permit ip any any
interface GigabitEthernet0/0
ip access-group BLOCK-RSVP in
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
