SB2018101818 - Denial of service vulnerabilities in Cisco NX-OS

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2018-0378)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the Precision Time Protocol (PTP) feature due to a lack of protection against PTP frame flood attacks. A remote attacker can send large streams of malicious IPv4 or IPv6 PTP traffic to and cause a DoS condition, impacting the traffic passing through the device.

2) Improper input validation (CVE-ID: CVE-2018-0456)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software due to improper validation of SNMP protocol data units (PDUs) in SNMP packets. A remote attacker can send SNMP packet and cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.

3) Improper input validation (CVE-ID: CVE-2018-0395)

The vulnerability allows an adjacent unauthenticated attacker to cause DoS condition on the target system.

The vulnerability exists in the Link Layer Discovery Protocol (LLDP) implementation due to improper input validation of certain type, length, value (TLV) fields of the LLDP frame header. An adjacent attacker can send a specially crafted LLDP packet to an interface and cause the switch to reload unexpectedly.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nexus-ptp-do...
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nxos-snmp
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-fxnx-os-dos