#VU774 Remote code execution in Cisco Nexus 7700 Series Switches and Cisco Nexus 7000 Series Switches - CVE-2016-1453
Vulnerability identifier: #VU774
Vulnerability risk: Medium
CVSSv4.0: 8.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Local network
Exploit availability: No
Vulnerable software:
Cisco Nexus 7700 Series Switches
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Cisco Nexus 7000 Series Switches
Hardware solutions /
Routers & switches, VoIP, GSM, etc
Vendor: Cisco Systems, Inc
Description
The vulnerability allows a remote unauthenticated user to cause the target system reload or execute arbitrary code.
The weakness is due to a buffer overflow caused by insufficient input validation of the size of OTV packet header parameters. By sending a specially crafted OTV UDP packet to the OTV interface attackers can cause OTV process reload or arbitrary code execution and obtain full control of the system.
Successful exploitation of the vulnerability results in arbitrary code execution and complete access to the vulnerable system.
Mitigation
The following Access Control List (ACL) can be configured to drop malformed OTV control packets.
IP access list OTV_PROT_V1
10 deny udp any any fragments
20 deny udp any any eq 8472 packet-length lt 54
30 permit ip any any
The vulnerability is fixed in versions 7.2(2)D1(1) and 7.3(1)D1(1).
Vulnerable software versions
Cisco Nexus 7700 Series Switches: 5.0 - 7.3
Cisco Nexus 7000 Series Switches: 5.0 - 7.3
External links
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-otv
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
