Strix
26.1K

CVE-2024-20309

MEDIUMCVSS 5.5/10EPSS 0.10%

Last modified

CVE-2024-20309 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. A vulnerability in auxiliary asynchronous port (AUX) functions of Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload or stop responding. This vulnerability is due to the incorrect handling of specific ingress traffic when flow control hardware is enabled on the AUX port. An attacker could exploit this vulnerability by reverse telnetting to the AUX port and sending specific data after connecting. EPSS estimates a 0.10% chance of exploitation in the next 30 days.

Description

A vulnerability in auxiliary asynchronous port (AUX) functions of Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload or stop responding. This vulnerability is due to the incorrect handling of specific ingress traffic when flow control hardware is enabled on the AUX port. An attacker could exploit this vulnerability by reverse telnetting to the AUX port and sending specific data after connecting. A successful exploit could allow the attacker to cause the device to reset or stop responding, resulting in a denial of service (DoS) condition.

Metrics

CVSS 3.1
5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.10%

1.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
CiscoIos Xe3.2.0se
CiscoIos Xe3.2.1se
CiscoIos Xe3.2.2se
CiscoIos Xe3.2.3se
CiscoIos Xe3.3.0se
CiscoIos Xe3.3.0sq
CiscoIos Xe3.3.1se
CiscoIos Xe3.3.1sq
CiscoIos Xe3.3.2se
CiscoIos Xe3.3.3se
CiscoIos Xe3.3.4se
CiscoIos Xe3.3.5se
CiscoIos Xe3.4.0sq
CiscoIos Xe3.4.1sq
CiscoIos Xe3.5.0sq
CiscoIos Xe3.5.1sq
CiscoIos Xe3.5.2sq
CiscoIos Xe3.5.3sq
CiscoIos Xe3.5.4sq
CiscoIos Xe3.5.5sq
CiscoIos Xe3.5.6sq
CiscoIos Xe3.5.7sq
CiscoIos Xe3.5.8sq
CiscoIos Xe3.6.2ae
CiscoIos Xe3.6.2e
CiscoIos Xe3.6.5be
CiscoIos Xe3.6.7be
CiscoIos Xe3.6.9e
CiscoIos Xe3.6.10e
CiscoIos Xe3.7.0bs
CiscoIos Xe3.7.0s
CiscoIos Xe3.7.1as
CiscoIos Xe3.7.1s
CiscoIos Xe3.7.2s
CiscoIos Xe3.7.2ts
CiscoIos Xe3.7.3s
CiscoIos Xe3.7.4as
CiscoIos Xe3.7.4s
CiscoIos Xe3.7.5s
CiscoIos Xe3.7.6s
CiscoIos Xe3.7.7s
CiscoIos Xe3.8.0s
CiscoIos Xe3.8.1s
CiscoIos Xe3.8.2s
CiscoIos Xe3.9.0as
CiscoIos Xe3.9.0s
CiscoIos Xe3.9.1as
CiscoIos Xe3.9.1s
CiscoIos Xe3.9.2s
CiscoIos Xe3.10.0s

Showing 50 of 343 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-20309?
A vulnerability in auxiliary asynchronous port (AUX) functions of Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload or stop responding. This vulnerability is due to the incorrect handling of specific ingress traffic when flow control hardware is enabled on the AUX port. An attacker could exploit this vulnerability by reverse telnetting to the AUX port and sending specific data after connecting. A successful exploit could allow the attacker to cause the device to reset or stop responding, resulting in a denial of service (DoS) condition.
How severe is CVE-2024-20309?
CVE-2024-20309 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.10% probability of exploitation in the next 30 days.
How do I fix CVE-2024-20309?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-20309?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST