SB2019090213 - Multiple vulnerabilities in Cisco NX-OS Software

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-1969)

The vulnerability allows a remote attacker to perform SNMP polling of an affected device.

The vulnerability exists in the implementation of the Simple Network Management Protocol (SNMP) Access Control List (ACL) feature due to an incorrect length check when the configured ACL name is the maximum length, which is 32 ASCII characters. A remote attacker can perform SNMP polling of an affected device that should have been denied. The attacker has no control of the configuration of the SNMP ACL name.

2) Input validation error (CVE-ID: CVE-2019-1963)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of Abstract Syntax Notation One (ASN.1)-encoded variables in SNMP packets. A remote authenticated attacker can send a specially crafted SNMP packet to the SNMP daemon and cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.

This vulnerability affects the following products if they have SNMP configured and they are running a vulnerable release of Cisco FXOS or NX-OS Software:

• Firepower 4100 Series
• Firepower 9300 Security Appliances
• MDS 9000 Series Multilayer Switches
• Nexus 1000 Virtual Edge for VMware vSphere
• Nexus 1000V Switch for Microsoft Hyper-V
• Nexus 1000V Switch for VMware vSphere
• Nexus 3000 Series Switches
• Nexus 3500 Platform Switches
• Nexus 3600 Platform Switches
• Nexus 5500 Platform Switches
• Nexus 5600 Platform Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 7700 Series Switches
• Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
• Nexus 9000 Series Switches in standalone NX-OS mode
• Nexus 9500 R-Series Switching Platform
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects
• UCS 6400 Series Fabric Interconnects

3) Input validation error (CVE-ID: CVE-2019-1977)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when "Disable Remote Endpoint Learning" has been enabled. A remote attacker can cause a denial of service (DoS) condition on an endpoint device in certain circumstances.

4) Resource exhaustion (CVE-ID: CVE-2019-1965)

The vulnerability allows a remote attacker to cause unexpected system behaviors and crashes.

The vulnerability exists in the Virtual Shell (VSH) session management due to the VSH process not being properly deleted when a remote management connection to the device is disconnected. A remote authenticated attacker can repeatedly perform a remote management connection to the device and terminate the connection in an unexpected manner and cause the VSH processes to fail to delete, which can lead to a system-wide denial of service (DoS) condition.

This vulnerability affects the following products that are running a Cisco NX-OS Software:

• MDS 9000 Series Multilayer Switches
• Nexus 3000 Series Switches
• Nexus 3500 Platform Switches
• Nexus 3600 Platform Switches
• Nexus 5500 Platform Switches
• Nexus 5600 Platform Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 7700 Series Switches
• Nexus 9000 Series Switches in standalone NX-OS mode
• Nexus 9500 R-Series Switching Platform
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects

5) Input validation error (CVE-ID: CVE-2019-1964)

The vulnerability allows a remote attacker to cause an unexpected restart of the netstack process on an affected device.

The vulnerability exists due to improper validation of IPv6 traffic sent through an affected device. A remote attacker can send a malformed IPv6 packet through an affected device, cause a denial of service (DoS) condition while the netstack process restarts. A sustained attack could lead to a reboot of the device.

This vulnerability affects the following products that are running a Cisco NX-OS Software:

• Nexus 7000 Series Switches
• Nexus 7700 Series Switches

6) Input validation error (CVE-ID: CVE-2019-1962)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of TCP packets when processed by the Cisco Fabric Services over IP (CFSoIP) feature. A remote attacker can send a malicious Cisco Fabric Services TCP packet, cause process crashes, resulting in a device reload and a DoS condition.

This vulnerability affects the following products that are running a Cisco NX-OS Software with CFSoIP enabled:

• MDS 9000 Series Multilayer Switches
• Nexus 3000 Series Switches
• Nexus 3500 Platform Switches
• Nexus 3600 Platform Switches
• Nexus 5500 Platform Switches
• Nexus 5600 Platform Switches
• Nexus 6000 Series Switches
• Nexus 7000 Series Switches
• Nexus 7700 Series Switches
• Nexus 9000 Series Switches in standalone NX-OS mode
• Nexus 9500 R-Series Switching Platform
• UCS 6200 Series Fabric Interconnects
• UCS 6300 Series Fabric Interconnects

7) Input validation error (CVE-ID: CVE-2019-1968)

The vulnerability allows a remote attacker to cause a system process to unexpectedly restart.

The vulnerability exists due to incorrect validation of the HTTP header of a request that is sent to the NX-API feature. A remote attacker can send a specially crafted HTTP request to the NX-API and cause a denial of service (DoS) condition in the NX-API service; however, the NX-OS device itself would still be available and passing network traffic.

8) Resource management error (CVE-ID: CVE-2019-1967)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in the Network Time Protocol (NTP) feature due to excessive use of system resources when logging a drop action for received MODE_PRIVATE (Mode 7) NTP packets. A remote attacker can flood the device with a steady stream of Mode 7 NTP packets and cause high CPU and memory usage on the affected device, which could cause internal system processes to restart or cause the affected device to unexpectedly reload.

Remediation

Install update from vendor's website.

References

• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-snmp-bypass
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-fxnxos-snmp-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nexus-aci-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-api-dos
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ntp-dos