CISCO-SA-BOOTP-WUBHNBXA

Vulnerable Products:

This vulnerability affects Cisco Catalyst 9000 Series Switches if they are running a vulnerable release of Cisco IOS XE Software and have the following configuration conditions:

IP DHCP snooping is enabled An ip helper-address is configured on a Switched Virtual Interface (SVI) The next hop of the ip helper-address is a sub-interface One of the sub-interfaces has the native VLAN configured

If those four conditions are true, then BOOTP packets will be forwarded from the source interface to the sub-interface where the native VLAN is configured. In addition, if the native VLAN is part of the IP DHCP snooping range, CPU utilization will increase, resulting in a DoS condition.

For information about which Cisco software releases are vulnerable, see the Fixed Software ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-dhcpsn-dos-xBn8Mtks#fs"] section of this advisory. Determine the Device Configuration Use the following methods to determine whether a device has a vulnerable configuration.

Determine Whether IP DHCP Snooping Is Enabled on a Device

To determine whether a device has IP DHCP snooping enabled, use Administrator privileges to connect to the device CLI and use the show running-config | include ip dhcp snooping exec command. If output is returned, the device has IP DHCP snooping enabled. The following example shows a device that has IP DHCP snooping enabled on VLANs 16, 32, and 64:

Router# show running-config | include ip dhcp snooping ip dhcp snooping vlan 16, 32, 64 ip dhcp snooping Router#

If no output is returned, the device is not affected.

Determine Whether ip helper-address Is Configured on the SVI on a Device

To determine whether a device has an ip helper-address configured on an SVI, use Administrator privileges to connect to the device CLI and use the show running-config | section interface Vlan exec command. If the returned output contains a line...