Skip to main content

Cisco has published advisory for three high severity and one medium severity vulnerability. Successful exploitation of the vulnerabilities could take over the vulnerable Cisco appliances. The flaws CVE-2022-20624 with a base score of 8.6 is the second DoS vulnerability after CVE-2022-20623 among the four, which allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. We recommend that all the Cisco Switch owners of Nexus 3000, 9000, and UCS 6400 Series read this post that tells how to fix CVE-2022-20624- A Denial of Service Vulnerability in CFSoIP Service of Cisco NX-OS.

List Of Other Vulnerabilities Disclosed In Cisco Switches Are:

  1. CVE-2022-20650
  2. CVE-2022-20623
  3. CVE-2022-20624
  4. CVE-2022-20625

Summary Of CVE-2022-20624:

This is the second DoS vulnerability after CVE-2022-20623 on the list targets Cisco Fabric Services over IP (CFSoIP) feature of Cisco NX-OS Software. This vulnerability allows unauthenticated, remote attackers to cause a denial of service (DoS) condition on an affected device. The flaw is due to improper validation of incoming CFSoIP packets. 

Cisco says, “An attacker could exploit this vulnerability by sending crafted CFSoIP packets to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition.” in its advisory.

Cisco Switches Affected By CVE-2022-20624:

The device maker said that Nexus series 3000, 9000, and UCS 6400 are affected by the Denial of Service vulnerability only if the CFSoIP feature is enabled on them.

  • Nexus 3000 Series Switches (CSCvy95696)
  • Nexus 9000 Series Switches in standalone NX-OS mode (CSCvy95696)
  • UCS 6400 Series Fabric Interconnects (CSCvy95840)

Cisco Switcher Not-Affected By CVE-2022-20624:

Cisco clearly says that these models are safe and not affected by the CVE-2022-20624 flaw. Owners of these models can ignore the vulnerability.

  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • MDS 9000 Series Multilayer Switches
  • Nexus 1000 Virtual Edge for VMware vSphere
  • Nexus 1000V Switch for Microsoft Hyper-V
  • Nexus 1000V Switch for VMware vSphere
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects

How To Say Your Cisco Nexus Switch Vulnerable?

The best possible way to say that your Cisco device is vulnerable is by the state of Cisco Fabric Services over IP (CFSoIP). If you see CFSoIP is enabled on your device, then your device may be vulnerable to the CVE-2022-20624 DoS attacks. You can check the status of the CFSoIP service by issuing the show cfs status command on the NX-OS CLI command prompt on Nexus series 3000 and 9000. Use connect nxos command on the Cisco UCS Fabric series to connect Cisco NX-OS CLI, then use the how cfs status command to check the status of CFSoIP.

See Also WildPressure APT Malware Campaign Targets Windows And MacOS

If the status of Distribution over IP is Enabled, then CFSoIP is enabled on the device.

switch# show cfs status
Distribution : Enabled
Distribution over IP : Enabled
IPv4 multicast address :
IPv6 multicast address : ff15::efff:4653
Distribution over Ethernet : Disabled

How To Fix CVE-2022-20624- A Denial Of Service Vulnerability In CFSoIP Service Of Cisco NX-OS?

Since the vulnerability lice in the Cisco Fabric Services over IP (CFSoIP) feature of Cisco Switchers. Attackers could exploit the flaw only if the CFSoIP feature is enabled. CFSoIP feature is disabled by default on the Nexus 3000 and 9000 Series Switches. However, the feature is enabled by default on UCS 6400 series switches.

Cisco has published Cisco Software Checker service to search for Cisco Security Advisories for specific Cisco IOS, IOS XE, NX-OS, and NX-OS in ACI Mode software releases.

Cisco has addressed the CVE-2022-20624vulnerability by releasing the following SMUs. Customers are asked to download the SMUs from the Software Center on Visit Cisco Nexus 3000 Series Switches or Cisco Nexus 9000 Series Switches to know about downloading and installing these SMUs. 

Cisco NX-OS Software Release Platform SMU Name
7.0(3)I7(10) Nexus 3000 and 9000 Series Switches nxos.CSCvy95696-n9k_ALL-1.0.0-7.0.3.I7.10.lib32_n9000.rpm
9.3(8) Nexus 3000 and 9000 Series Switches CSCvy95696-n9k_ALL-1.0.0-9.3.8.lib32_n9000.rpm

Owners of UCS 6400 Series switches, follow the table to upgrade the software.

Cisco UCS Software Release First Fixed Release for This Vulnerability
4.0 Migrate to a fixed release.
4.1 4.1(3h),
4.2 4.2(1l)1

Leave a Reply