Remote code execution in Cisco Nexus

1) Remote code execution

EUVDB-ID: #VU774

Risk: Medium

CVSSv3.1: 8.9 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2016-1453

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated user to cause the target system reload or execute arbitrary code.
The weakness is due to a buffer overflow caused by insufficient input validation of the size of OTV packet header parameters. By sending a specially crafted OTV UDP packet to the OTV interface attackers can cause OTV process reload or arbitrary code execution and obtain full control of the system.
Successful exploitation of the vulnerability results in arbitrary code execution and complete access to the vulnerable system.

Mitigation

The following Access Control List (ACL) can be configured to drop malformed OTV control packets.

IP access list OTV_PROT_V1
  10 deny udp any any fragments 
  20 deny udp any any eq 8472 packet-length lt 54 
  30 permit ip any any

The vulnerability is fixed in versions 7.2(2)D1(1) and 7.3(1)D1(1).

Vulnerable software versions

Cisco Nexus 7700 Series Switches: 5.0 - 7.3

Cisco Nexus 7000 Series Switches: 5.0 - 7.3

External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-otv

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.