CVE-2024-20436 Overview
CVE-2024-20436 is a denial-of-service vulnerability in the HTTP Server feature of Cisco IOS XE Software. The flaw exists when the Telephony Service feature is enabled on an affected device. An unauthenticated, remote attacker can exploit the issue by sending crafted HTTP traffic to specific URLs on the target. The condition arises from a null pointer dereference [CWE-476] triggered during URL handling. A successful exploit forces the device to reload, producing a denial-of-service condition. The vulnerability affects a broad range of Cisco IOS XE releases across the 3.x, 16.x, and 17.x train.
Critical Impact
Unauthenticated remote attackers can reload affected Cisco IOS XE devices by sending crafted HTTP requests, disrupting routing, switching, and telephony services.
Affected Products
- Cisco IOS XE Software (3.x train, including 3.9.x through 3.18.x releases)
- Cisco IOS XE Software (16.x train, including 16.2.1 through 16.12.8 releases)
- Cisco IOS XE Software (17.x train, including 17.1.1 through 17.12.1a releases) with Telephony Service and HTTP Server features enabled
Discovery Timeline
- 2024-09-25 - CVE-2024-20436 published to NVD
- 2024-10-08 - Last updated in NVD database
Technical Details for CVE-2024-20436
Vulnerability Analysis
The vulnerability resides in the HTTP Server component of Cisco IOS XE Software when the Telephony Service feature is configured. Cisco IOS XE exposes an embedded web server used for device management and telephony service interfaces. When the HTTP Server receives a request for specific URLs tied to the Telephony Service feature, the request handler dereferences a pointer that has not been properly validated. The resulting null pointer dereference [CWE-476] crashes the responsible process and causes the device to reload. Because the HTTP Server is reachable over the network, no authentication is required to trigger the condition. The impact is restricted to availability, with no confidentiality or integrity exposure.
Root Cause
The root cause is missing input validation in the URL handling logic of the HTTP Server when the Telephony Service feature is enabled. Specific request paths cause the handler to access a structure pointer before it is initialized or after it has been released. Dereferencing the null pointer triggers a fatal exception, leading to an unplanned device reload.
Attack Vector
Exploitation requires only network reachability to the HTTP or HTTPS management interface of the affected device. An attacker submits crafted HTTP requests targeting URLs handled by the Telephony Service code path. Each successful request can reload the device, and repeated requests sustain the denial-of-service condition. No user interaction or credentials are required. Devices exposing the HTTP Server to untrusted networks face the highest risk.
No public proof-of-concept exploit is available at the time of writing, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 1.78% (82.9 percentile), reflecting moderate exploitation probability.
Detection Methods for CVE-2024-20436
Indicators of Compromise
- Unexpected device reloads with crash files referencing the HTTP Server process (iosd or nginx-related worker processes on IOS XE platforms).
- show version output indicating the last reload reason as a software-forced crash following HTTP activity.
- Spikes in inbound HTTP or HTTPS requests to management addresses immediately preceding a reload event.
Detection Strategies
- Monitor syslog for %SYS-2-WATCHDOG or process crash messages tied to the HTTP Server immediately after external HTTP traffic.
- Correlate NetFlow or firewall logs to identify external sources sending HTTP requests directly to router management IP addresses.
- Use configuration audits to flag devices that have both ip http server (or ip http secure-server) and telephony-service enabled, as these meet the exploitation precondition.
Monitoring Recommendations
- Ingest IOS XE syslog and crashinfo files into a centralized logging or SIEM platform and alert on repeated unexpected reloads.
- Track availability of affected devices through SNMP or streaming telemetry to detect short-interval reboot cycles indicative of exploitation attempts.
- Alert on HTTP requests to telephony-related URL paths originating from networks that should not be managing the device.
How to Mitigate CVE-2024-20436
Immediate Actions Required
- Identify all Cisco IOS XE devices running affected releases with the HTTP Server and Telephony Service features both enabled.
- Apply the fixed software releases referenced in the Cisco Security Advisory cisco-sa-httpsrvr-dos-yOZThut.
- Restrict access to the HTTP Server using infrastructure access control lists so only trusted management hosts can reach TCP/80 and TCP/443 on device management interfaces.
Patch Information
Cisco has published fixed software releases for affected IOS XE versions. Refer to the Cisco Security Advisory cisco-sa-httpsrvr-dos-yOZThut for the specific first-fixed releases mapped to each affected train. Upgrade paths should follow Cisco's recommended migration guidance for the device platform and feature set.
Workarounds
- Disable the HTTP Server with no ip http server and no ip http secure-server if web-based management is not required.
- If the HTTP Server must remain enabled, restrict access with an access control list using ip http access-class and ip http secure-active-session-modules so only trusted hosts can reach management URLs.
- Where Telephony Service is not required, disable it to remove the vulnerable code path from exposure.
# Example: restrict HTTP Server access to a trusted management subnet
ip access-list standard MGMT-HTTP-ACL
permit 10.10.10.0 0.0.0.255
deny any log
!
ip http access-class MGMT-HTTP-ACL
ip http secure-server
!
# If web management is not needed, disable it entirely
no ip http server
no ip http secure-server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
