Cisco IOS XE DHCP Snooping Denial-of-Service Vulnerability on Catalyst 9000 Series Switches

A denial-of-service vulnerability has been identified in the DHCP snooping feature of Cisco IOS XE Software, specifically on Catalyst 9000 Series Switches. This vulnerability allows an unauthenticated, remote attacker to manipulate BOOTP packets, causing them to be improperly forwarded between VLANs. The issue arises from inadequate handling of BOOTP requests, which can lead to BOOTP VLAN leakage and a significant increase in CPU utilization. As a result, the affected device becomes unreachable via console or remote management and fails to forward traffic, creating a denial-of-service condition. The vulnerability can be exploited using either unicast or broadcast BOOTP packets.

Impact

Exploitation of this vulnerability causes high CPU utilization, making the device unreachable through console or remote management and disrupting traffic forwarding, thereby creating a denial-of-service condition.

Remediation

To address this vulnerability, Cisco has released software updates. For environments that do not need to handle BOOTP traffic, the command 'ip dhcp relay bootp ignore' can be configured on the affected device. Customers should evaluate the applicability and impact of this workaround in their own environments. For information on which Cisco software releases are vulnerable, consult the 'Fixed Software' section of the advisory.