Vulnerability identifier: #VU72510
Vulnerability risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Cisco Nexus 9300-FX3 Series Fabric Extender (FEX)
Hardware solutions /
Routers & switches, VoIP, GSM, etc
UCS 6400 Series Fabric Interconnects
Hardware solutions /
Routers & switches, VoIP, GSM, etc
UCS 6500 Series Fabric Interconnects
Hardware solutions /
Routers & switches, VoIP, GSM, etc
N9K-C93180YC-FX3
Hardware solutions /
Routers & switches, VoIP, GSM, etc
N9K-C93180YC-FX3S
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Cisco UCS
Other software /
Other software solutions
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a local attacker to bypass authentication process.
The vulnerability exists due to the improper implementation of the password validation function. An attacker with physical access can bypass authentication and execute a limited set of commands local to the FEX, leading to a device reboot and denial of service (DoS) condition.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Cisco Nexus 9300-FX3 Series Fabric Extender (FEX): All versions
UCS 6400 Series Fabric Interconnects: All versions
UCS 6500 Series Fabric Interconnects: All versions
N9K-C93180YC-FX3: All versions
N9K-C93180YC-FX3S: All versions
Cisco UCS: 4.2
External links
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-elyfex-dos-gfvcByx
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.