{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dhcp-snooping/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco IOS XE Software","Cisco Catalyst 9000 Series Switches"],"_cs_severities":["high"],"_cs_tags":["cve-2026-20084","dhcp-snooping","bootp","denial-of-service","cisco"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCVE-2026-20084 is a vulnerability affecting the DHCP snooping feature within Cisco IOS XE Software, specifically impacting Cisco Catalyst 9000 Series Switches. This vulnerability allows an unauthenticated, remote attacker to exploit improper handling of BOOTP packets. By sending either unicast or broadcast BOOTP request packets, an attacker can trigger the forwarding of BOOTP packets between different VLANs. This cross-VLAN forwarding, or \u0026quot;BOOTP VLAN leakage,\u0026quot; can result in elevated CPU utilization, rendering the device unreachable through console or remote management interfaces. The ultimate impact is a denial-of-service (DoS) condition, preventing the affected switch from forwarding network traffic and disrupting network services. The vulnerability stems from how the Cisco IOS XE software processes BOOTP packets when DHCP snooping is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Cisco Catalyst 9000 Series Switch running Cisco IOS XE with DHCP snooping enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious BOOTP request packet. This packet can be either a unicast or broadcast BOOTP request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious BOOTP request packet to the targeted switch.\u003c/li\u003e\n\u003cli\u003eThe vulnerable DHCP snooping feature improperly processes the BOOTP request.\u003c/li\u003e\n\u003cli\u003eDue to the improper handling, the switch forwards the BOOTP packet to an unintended VLAN.\u003c/li\u003e\n\u003cli\u003eThis BOOTP VLAN leakage contributes to increased CPU utilization on the switch.\u003c/li\u003e\n\u003cli\u003eThe high CPU utilization degrades the switch's performance, impacting its ability to forward network traffic.\u003c/li\u003e\n\u003cli\u003eThe switch becomes unresponsive, leading to a denial-of-service condition, disrupting network services for connected devices.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20084 leads to a denial-of-service condition on affected Cisco Catalyst 9000 Series Switches. This DoS can disrupt network services, causing connectivity issues for users and applications relying on the compromised switch. The high CPU utilization makes the device unreachable for management, complicating recovery efforts. While the exact number of potential victims is unknown, any organization using vulnerable Cisco Catalyst 9000 Series Switches is at risk. The network downtime caused by this vulnerability can lead to financial losses and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual BOOTP packet activity, specifically looking for packets being forwarded between VLANs, using a network intrusion detection system (IDS) and the \u003ccode\u003enetwork_connection\u003c/code\u003e log source.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect BOOTP packets being forwarded between VLANs, and tune the rule for your specific environment.\u003c/li\u003e\n\u003cli\u003eImplement workarounds provided by Cisco to mitigate the vulnerability until a patch can be applied (reference the Cisco advisory for specific workaround details).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-dhcp-snooping-dos/","summary":"CVE-2026-20084 describes a vulnerability in Cisco IOS XE DHCP snooping where an unauthenticated remote attacker can cause a denial-of-service by forwarding BOOTP packets between VLANs, leading to high CPU utilization on affected Cisco Catalyst 9000 Series Switches.","title":"Cisco IOS XE DHCP Snooping BOOTP VLAN Leakage DoS (CVE-2026-20084)","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-ios-xe-dhcp-snooping-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Dhcp-Snooping","version":"https://jsonfeed.org/version/1.1"}