Cisco IOS XE Software for Catalyst 9000 Series Switches DHCP Snooping Denial of Service Vulnerability
Summary
A vulnerability in the DHCP snooping feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause BOOTP packets to be forwarded between VLANs, resulting in a denial of service (DoS) condition. This vulnerability is due to improper handling of BOOTP packets on Cisco Catalyst 9000 Series Switches. An attacker could exploit this vulnerability by sending BOOTP request packets to an affected device. A successful exploit could allow an attacker to forward BOOTP packets from one VLAN to another, resulting in BOOTP VLAN leakage and potentially leading to high CPU utiliz…
- Scope: This vulnerability affects Cisco Catalyst 9000 Series Switches if they are running a vulnerable release of Cisco IOS XE Software and have the following configuration conditions:
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- There is a workaround that addresses this vulnerability.
- For environments that do not need to handle BOOTP traffic, configure ip dhcp relay bootp ignore on the affected device.
- While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer depl…
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.