Multiple vulnerabilities in Cisco NX-OS Software
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU20483
Risk: Medium
CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1969
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform SNMP polling of an affected device.
The vulnerability exists in the implementation of the Simple Network Management Protocol (SNMP) Access Control List (ACL) feature due to an incorrect length check when the configured ACL name is the maximum length, which is 32 ASCII characters. A remote attacker can perform SNMP polling of an affected device that should have been denied. The attacker has no control of the configuration of the SNMP ACL name.
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
Install updates from vendor's website.
Vulnerable software versionsCisco NX-OS: 7.0.3 I4 1 - 9.2
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU20539
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1963
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of Abstract Syntax Notation One (ASN.1)-encoded variables in SNMP packets. A remote authenticated attacker can send a specially crafted SNMP packet to the SNMP daemon and cause the SNMP application to restart multiple times, leading to a system-level restart and a denial of service (DoS) condition.
This vulnerability affects the following products if they have SNMP configured and they are running a vulnerable release of Cisco FXOS or NX-OS Software:
- Firepower 4100 Series
- Firepower 9300 Security Appliances
- MDS 9000 Series Multilayer Switches
- Nexus 1000 Virtual Edge for VMware vSphere
- Nexus 1000V Switch for Microsoft Hyper-V
- Nexus 1000V Switch for VMware vSphere
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 7700 Series Switches
- Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects
- UCS 6400 Series Fabric Interconnects
Mitigation
Install updates from vendor's website.
Vulnerable software versionsCisco NX-OS: 5.2 - 14.1
Cisco FXOS: 2.2 - 2.4
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU20496
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1977
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when "Disable Remote Endpoint Learning" has been enabled. A remote attacker can cause a denial of service (DoS) condition on an endpoint device in certain circumstances.
MitigationInstall updates from vendor's website.
Vulnerable software versionsCisco Nexus 9332PQ Switch: All versions
Cisco Nexus 9508 Switch: All versions
Cisco Nexus 9372TX-E Switch: All versions
Cisco Nexus 93108TC-EX Switch: All versions
Cisco Nexus 9504 Switch: All versions
Cisco Nexus 93120TX Switch: All versions
Cisco Nexus 93108TC-FX Switch: All versions
Cisco Nexus 9396TX Switch: All versions
Cisco Nexus 9396PX Switch: All versions
Cisco Nexus 9516 Switch: All versions
Cisco Nexus 9000 Series Switches in ACI Mode: All versions
Cisco NX-OS: 12.3.1h - 13.1.2p
Cisco Nexus 9372PX-E Switch: All versions
Cisco Nexus 9348GC-FXP Switch: All versions
Cisco Nexus 93180YC-EX Switch: All versions
Cisco Nexus 93128TX Switch: All versions
Cisco Nexus 93180YC-FX Switch: All versions
Cisco Nexus 9364C Switch: All versions
Cisco Nexus 9372PX Switch: All versions
Cisco Nexus 93180LC-EX Switch: All versions
Cisco Nexus 9336PQ ACI Spine Switch: All versions
Cisco Nexus 9372TX Switch: All versions
Cisco Nexus 9336C-FX2 Switch: All versions
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nexus-aci-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU20491
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1965
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause unexpected system behaviors and crashes.
The vulnerability exists in the Virtual Shell (VSH) session management due to the VSH process not being properly deleted when a remote management connection to the device is disconnected. A remote authenticated attacker can repeatedly perform a remote management connection to the device and terminate the connection in an unexpected manner and cause the VSH processes to fail to delete, which can lead to a system-wide denial of service (DoS) condition.
This vulnerability affects the following products that are running a Cisco NX-OS Software:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 7700 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects
Install updates from vendor's website.
Vulnerable software versionsCisco NX-OS: 3.2 - 8.3
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU20489
Risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1964
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to cause an unexpected restart of the netstack process on an affected device.
The vulnerability exists due to improper validation of IPv6 traffic sent through an affected device. A remote attacker can send a malformed IPv6 packet through an affected device, cause a denial of service (DoS) condition while the netstack process restarts. A sustained attack could lead to a reboot of the device.
This vulnerability affects the following products that are running a Cisco NX-OS Software:
- Nexus 7000 Series Switches
- Nexus 7700 Series Switches
Mitigation
Install update from vendor's website.
Vulnerable software versionsCisco NX-OS: 8.1 - 8.3
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU20488
Risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1962
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of TCP packets when processed by the Cisco Fabric Services over IP (CFSoIP) feature. A remote attacker can send a malicious Cisco Fabric Services TCP packet, cause process crashes, resulting in a device reload and a DoS condition.
This vulnerability affects the following products that are running a Cisco NX-OS Software with CFSoIP enabled:
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 7700 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects
Install updates from vendor's website.
Vulnerable software versionsCisco NX-OS: 3.2 - 7.3
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU20487
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1968
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause a system process to unexpectedly restart.
The vulnerability exists due to incorrect validation of the HTTP header of a request that is sent to the NX-API feature. A remote attacker can send a specially crafted HTTP request to the NX-API and cause a denial of service (DoS) condition in the NX-API service; however, the NX-OS device itself would still be available and passing network traffic.
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 7700 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
Install updates from vendor's website.
Vulnerable software versionsCisco NX-OS: 6.0.2 A8 - 9.2
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-api-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource management error
EUVDB-ID: #VU20486
Risk: High
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-1967
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in the Network Time Protocol (NTP) feature due to excessive use of system resources when logging a drop action for received MODE_PRIVATE (Mode 7) NTP packets. A remote attacker can flood the device with a steady stream of Mode 7 NTP packets and cause high CPU and memory usage on the affected device, which could cause internal system processes to restart or cause the affected device to unexpectedly reload.
- MDS 9000 Series Multilayer Switches
- Nexus 3000 Series Switches
- Nexus 3500 Platform Switches
- Nexus 3600 Platform Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 7700 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- Nexus 9500 R-Series Switching Platform
Install updates from vendor's website.
Vulnerable software versionsCisco NX-OS: 6.0.2 A8 - 9.2
External linkshttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ntp-dos
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
