CVE-2024-20467 Overview
CVE-2024-20467 is a denial-of-service vulnerability in the IPv4 fragmentation reassembly code of Cisco IOS XE Software. An unauthenticated, remote attacker can force an affected device to reload by sending specifically sized fragmented packets. The flaw resides in improper resource management during fragment reassembly and can be triggered directly or through a Virtual Fragmentation Reassembly (VFR)-enabled interface.
The vulnerability affects Cisco ASR 1000 Series Aggregation Services Routers and Cisco cBR-8 Converged Broadband Routers running Cisco IOS XE Software Release 17.12.1 or 17.12.1a. Cisco has published security advisory cisco-sa-cpp-vfr-dos-nhHKGgO with remediation guidance.
Critical Impact
A remote, unauthenticated attacker can reload core routing infrastructure with crafted IPv4 fragments, disrupting service for all traffic transiting the device.
Affected Products
- Cisco IOS XE Software Release 17.12.1
- Cisco IOS XE Software Release 17.12.1a
- Cisco ASR 1000 Series Aggregation Services Routers and Cisco cBR-8 Converged Broadband Routers running the affected releases
Discovery Timeline
- 2024-09-25 - CVE-2024-20467 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-20467
Vulnerability Analysis
The vulnerability resides in the IPv4 fragmentation reassembly logic of Cisco IOS XE. When the device receives fragmented IPv4 packets, the reassembly routine fails to properly manage internal buffer resources for certain fragment sizes. An attacker who transmits a sequence of specifically sized fragments can trigger an unrecoverable condition that forces the device to reload.
The issue is classified under [CWE-399] Resource Management Errors. Exploitation requires no authentication, no user interaction, and is reachable over the network. Because routers sit in the data path, a single reload disrupts every flow transiting the device, including management and control-plane sessions.
Root Cause
Improper resource management within the fragment reassembly process is the root cause. The reassembly engine does not handle particular fragment size combinations safely, leading to resource exhaustion or an internal fault. The condition is reachable through normal forwarding when fragments target the device or through any interface configured with Virtual Fragmentation Reassembly (VFR).
Attack Vector
An attacker sends crafted IPv4 fragmented packets to an affected interface. Two reachable paths exist: fragments destined to the device itself, and fragments traversing a VFR-enabled interface where reassembly is performed inline. Successful exploitation causes the device to reload, producing a denial-of-service condition until the system completes recovery. No verified public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified exploit code is published for this issue. Refer to the Cisco Security Advisory cisco-sa-cpp-vfr-dos-nhHKGgO for the authoritative technical description.
Detection Methods for CVE-2024-20467
Indicators of Compromise
- Unexpected device reloads on ASR 1000 or cBR-8 routers running IOS XE 17.12.1 or 17.12.1a, with crashinfo referencing the Cisco Packet Processor (CPP) or fragmentation reassembly subsystem.
- Bursts of fragmented IPv4 traffic immediately preceding a device reset, particularly inbound to VFR-enabled interfaces.
- Repeated control-plane policing (CoPP) drops involving IPv4 fragments from a small set of source addresses.
Detection Strategies
- Monitor syslog and show version uptime counters for unexplained reload events correlated with traffic spikes.
- Use NetFlow or IPFIX to identify abnormal volumes of IPv4 fragments destined to router interfaces or VFR-enabled subinterfaces.
- Correlate ICMP fragmentation-related messages with router availability metrics in network monitoring platforms.
Monitoring Recommendations
- Alert on SNMP sysUpTime resets and ciscoConfigManMIB events for affected platforms.
- Capture and inspect packet traces of fragmented IPv4 traffic on edge and aggregation interfaces.
- Track CoPP and infrastructure ACL hit counts for fragment-matching entries to surface scanning or exploitation attempts.
How to Mitigate CVE-2024-20467
Immediate Actions Required
- Identify all ASR 1000 and cBR-8 devices running Cisco IOS XE 17.12.1 or 17.12.1a and prioritize them for upgrade.
- Apply the fixed software releases referenced in Cisco advisory cisco-sa-cpp-vfr-dos-nhHKGgO.
- Audit interfaces for VFR configuration and confirm whether reassembly is required on each interface.
- Restrict fragmented IPv4 traffic to router interfaces using infrastructure ACLs and CoPP policies.
Patch Information
Cisco has released fixed Cisco IOS XE Software versions addressing CVE-2024-20467. Consult the Cisco Security Advisory cisco-sa-cpp-vfr-dos-nhHKGgO for the fixed-release matrix and upgrade guidance. There are no software-only workarounds that fully eliminate the vulnerability, so upgrading is the recommended remediation.
Workarounds
- Where VFR is not strictly required, disable it on exposed interfaces to remove one of the attack paths.
- Apply infrastructure ACLs (iACLs) to deny IPv4 fragmented traffic destined to router loopback and interface addresses from untrusted sources.
- Tune Control Plane Policing (CoPP) to rate-limit fragmented IPv4 traffic to the route processor.
# Example: rate-limit IPv4 fragments to the control plane
ip access-list extended ACL-FRAGMENTS
permit ip any any fragments
class-map match-any CM-FRAGMENTS
match access-group name ACL-FRAGMENTS
policy-map CoPP-FRAGMENTS
class CM-FRAGMENTS
police 8000 conform-action transmit exceed-action drop
control-plane
service-policy input CoPP-FRAGMENTS
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
