<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Bootp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/bootp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/bootp/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco IOS XE DHCP Snooping BOOTP VLAN Leakage DoS (CVE-2026-20084)</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-dhcp-snooping-dos/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-dhcp-snooping-dos/</guid><description>CVE-2026-20084 describes a vulnerability in Cisco IOS XE DHCP snooping where an unauthenticated remote attacker can cause a denial-of-service by forwarding BOOTP packets between VLANs, leading to high CPU utilization on affected Cisco Catalyst 9000 Series Switches.</description><content:encoded><![CDATA[<p>CVE-2026-20084 is a vulnerability affecting the DHCP snooping feature within Cisco IOS XE Software, specifically impacting Cisco Catalyst 9000 Series Switches. This vulnerability allows an unauthenticated, remote attacker to exploit improper handling of BOOTP packets. By sending either unicast or broadcast BOOTP request packets, an attacker can trigger the forwarding of BOOTP packets between different VLANs. This cross-VLAN forwarding, or &quot;BOOTP VLAN leakage,&quot; can result in elevated CPU utilization, rendering the device unreachable through console or remote management interfaces. The ultimate impact is a denial-of-service (DoS) condition, preventing the affected switch from forwarding network traffic and disrupting network services. The vulnerability stems from how the Cisco IOS XE software processes BOOTP packets when DHCP snooping is enabled.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable Cisco Catalyst 9000 Series Switch running Cisco IOS XE with DHCP snooping enabled.</li>
<li>The attacker crafts a malicious BOOTP request packet. This packet can be either a unicast or broadcast BOOTP request.</li>
<li>The attacker sends the malicious BOOTP request packet to the targeted switch.</li>
<li>The vulnerable DHCP snooping feature improperly processes the BOOTP request.</li>
<li>Due to the improper handling, the switch forwards the BOOTP packet to an unintended VLAN.</li>
<li>This BOOTP VLAN leakage contributes to increased CPU utilization on the switch.</li>
<li>The high CPU utilization degrades the switch's performance, impacting its ability to forward network traffic.</li>
<li>The switch becomes unresponsive, leading to a denial-of-service condition, disrupting network services for connected devices.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-20084 leads to a denial-of-service condition on affected Cisco Catalyst 9000 Series Switches. This DoS can disrupt network services, causing connectivity issues for users and applications relying on the compromised switch. The high CPU utilization makes the device unreachable for management, complicating recovery efforts. While the exact number of potential victims is unknown, any organization using vulnerable Cisco Catalyst 9000 Series Switches is at risk. The network downtime caused by this vulnerability can lead to financial losses and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Monitor network traffic for unusual BOOTP packet activity, specifically looking for packets being forwarded between VLANs, using a network intrusion detection system (IDS) and the <code>network_connection</code> log source.</li>
<li>Deploy the Sigma rule provided to detect BOOTP packets being forwarded between VLANs, and tune the rule for your specific environment.</li>
<li>Implement workarounds provided by Cisco to mitigate the vulnerability until a patch can be applied (reference the Cisco advisory for specific workaround details).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cve-2026-20084</category><category>dhcp-snooping</category><category>bootp</category><category>denial-of-service</category><category>cisco</category></item></channel></rss>