Dear all,

Cisco also patched a medium-risk vulnerability, CVE-2024-20373, in its IOS and IOS XE Software which is used on many of its enterprise switches and routers. The flaw allows unauthenticated attackers to bypass the Access Control List (ACL) feature for simple network management protocol (SNMP) in certain cases. SNMP is a protocol that allows devices to expose information about their configurations and to make modifications to those settings over the network.

“This vulnerability exists because Cisco IOS software and Cisco IOS XE software do not support extended IPv4 ACLs for SNMP, but they do allow administrators to configure extended named IPv4 ACLs that are attached to the SNMP server configuration without a warning message,” Cisco explains in its advisory. “This can result in no ACL being applied to the SNMP listening process.”

https://www.csoonline.com/article/2093447/cisco-fixes-vulnerabilities-in-integrated-management-contr...

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-uwBXfqww