Cisco IOS XE Software Auxiliary Asynchronous Port Denial of Service Vulnerability [CVE-2024-20309]

CVE number – CVE-2024-20309

A vulnerability in auxiliary asynchronous port (AUX) functions of Cisco IOS XE Software could allow an authenticated, local attacker to cause an affected device to reload or stop responding.

This vulnerability is due to the incorrect handling of specific ingress traffic when flow control hardware is enabled on the AUX port. An attacker could exploit this vulnerability by reverse telnetting to the AUX port and sending specific data after connecting. A successful exploit could allow the attacker to cause the device to reset or stop responding, resulting in a denial of service (DoS) condition.

At the time of publication, this vulnerability affected Cisco platforms if they were running a vulnerable release of Cisco IOS XE Software and the following conditions were true:

• The device has an AUX port.
• The AUX port is configured with flowcontrol hardware.
• There is no hardware attached to the AUX port or the attached modem has signaled for flow control to be off and does not turn it on again.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aux-333WBz8f