Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2336
Multiple vulnerabilities have been identified in Cisco NX-OS Products
6 October 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco NX-OS Software
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-1454 CVE-2015-6392 CVE-2015-6393
CVE-2015-0721
Original Bulletin:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-bgp
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-dhcp1
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-dhcp2
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-nxaaa
Comment: This bulletin contains four (4) Cisco Systems security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco NX-OS Border Gateway Protocol Denial of Service Vulnerability
Advisory ID: cisco-sa-20161005-bgp
Revision 1.0
For Public Release 2016 October 5 16:00 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading.
The vulnerability is due to incomplete input validation of the BGP update messages. An attacker could exploit this vulnerability by sending a crafted BGP update message to the targeted device. An exploit could allow the attacker to cause the switch to reload unexpectedly.
The Cisco implementation of the BGP protocol only accepts incoming BGP traffic from explicitly defined peers. To exploit this vulnerability, an attacker must be able to send the malicious packets over a TCP connection that appears to come from a trusted BGP peer, or inject malformed messages into the victim's BGP network. This would require obtaining information about the BGP peers in the affected system's trusted network.
The vulnerability may be triggered when the router receives a malformed BGP message from a peer on an existing BGP session. At least one BGP neighbor session must be established for a router to be vulnerable.
If all BGP peers to the NX-OS Software are Cisco IOS, IOS-XE, or IOS-XR devices and those devices are not configured for Cisco Multicast VPN (MVPN) interautonomous system support, this vulnerability cannot be remotely exploited.
Cisco has released software updates that address this vulnerability. Workarounds that address this vulnerability are not available.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-bgp
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iQIVAwUBV/JmXq89gD3EAJB5AQLJww/9FYyD6RKmaLKRJHLCSs594In2H0xpguNI
WJS99FG1u6sffRLuM9lI+H38Q/cNotU3Z1Zd67goXppd+gLiSi1hxoEJkk0ogb35
mttvlDNkEwP/0P9O5dfLZTebdZHE+udmp6+K1O7S1y3yTYWb758Ncoy+WDflcnkq
7ecvygPmQH2FZWcG+j5/zJJ7VSUbcqd0lpf+kqvzBpcxSfdXMeDaAd++oSycmzS4
VuBQosYsd5Ee+5tpA60WxBKVl6wMB29xq49x6YH/CRmA8EjTg5pzxYaoEvaTaQR5
lwGot9WYbqZpwqEZthipOR/tY5ADsC25N923Wr3f1yq2X8w5hyL9rVtXpCO38Dci
+1CdgDS5wHRxA5HmcD4kUIX50hAXShXarT14qj9lc+eOKL1Ge61txg76EAxDmsCp
qa/IfbdQYPWN+STfG5PO1h3rc0zLQRWQ9Y0ogyJ6wA9fGBMnBmY/mQFFuzJZXQ/b
VIs/U0zs/BrHN0HQNrVYGJ02kZrYq7j+HmBeYK2RwEH9MkQ3w+BphmYhoy+nBx41
F5l53CI7hdaVTMcP1M+pb9g2P3NoVC1JfI9aKwGc46UEMh8ZFgFRcacnowtTdWbF
KWlJ1yFmoPycxo8OwAtzPyA61LDbK9MRAttaeAwp+d5bIBope/q4StMb3bYIML4d
tfn+bcAL/SA=
=rEVW
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco NX-OS Software Crafted DHCPv4 Packet Denial of Service Vulnerability
Advisory ID: cisco-sa-20161005-dhcp1
Revision: 1.0
For Public Release: 2016 October 5 16:00 GMT
+------------------------------------------------------------------------------
Summary
=======
A vulnerability in the implementation of the DHCPv4 relay agent and smart relay agent in Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
The vulnerability is due to improper validation of crafted DHCPv4 offer packets. An attacker could exploit this vulnerability by sending crafted DHCPv4 offer packets to an affected device. An exploit could allow the attacker to cause the DHCP process or device to crash.
This vulnerability can be exploited using IPv4 packets only. The vulnerability can be triggered by crafted DHCP packets processed by a DHCP relay agent or smart relay agent listening on the device using the IPv4 broadcast address or the IPv4 unicast address of any interface configured on a device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-dhcp1
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJX9RRvAAoJEK89gD3EAJB5aJAP/iqU3jgnj8/ZfH9bDtTZzo/J
lgymui54AgbK11rUmqDyzsPctHTzb/RONGNvozEMT29MgTw/5YKXGdEEdJpEcTRB
n0btkc/5HJM0kS0wICLCQgwNdlmj+ERYuNIV8q9VwyPOSKoNQy/kKt4QRyzc2lbI
E8nnrEyZZHYtt/eP7Ltgpy2YnXsP+ejzc8jPTYQXJiPById/mOINSjo+iw5Pr6O1
0L2De/WsiDHsWyBnOlljktupLWwxwVSNIYGO6nibMc7R878oB7MQs5/OymQq1CGH
b2ed5nROf5QtFdo+pgRCjXw/87j40BNr1IKcCd7U9fzvzIGxF5JxDQ8lyzEJ5N/5
DOOlfa0CtQ4qwaP6lwOsO1mNrUjcNCDugmICucNo01VGyAReMLy+4vQBmD9AkByU
cq51vQXe5C3PyU4quaDK15Ix1DM5Q3FJKRyaJ+6ScA0I27L9BSel7XamI9+IrD3N
S9VKpjcZvXSauwfyQlnKilBNiQxbzQpt6a8UcX/EOx/sEu+G+fa64gPRcdi6nTKQ
RTj+iqttSRJujQqYWVB1/5xK/VhNu3T8J7KssmS/gFXxmpCGebZLNT9ooiQQk2UY
a6gaFcsNladvhr4Y8nltV+jLpCal9vD8og7B6dd0EU8XMvUxTTftP/xJANNghCa4
ks2Moj0fJ6Nfk7DYr8GW
=uwR9
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco NX-OS Software Malformed DHCPv4 Packet Denial of Service Vulnerability
Advisory ID: cisco-sa-20161005-dhcp2
Revision: 1.0
For Public Release: 2016 October 5 16:00 GMT
+------------------------------------------------------------------------------
Summary
=======
A vulnerability in the implementation of the DHCPv4 relay agent in Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
The vulnerability is due to improper validation of malformed DHCPv4 packets. An attacker could exploit this vulnerability by sending malformed DHCPv4 packets to an affected device. An exploit could allow the attacker to cause the DHCP process or device to crash.
This vulnerability can be exploited using IPv4 packets only. The vulnerability can be triggered by malformed DHCP packets processed by a DHCP relay agent listening on the device, using the IPv4 broadcast address or IPv4 unicast address of any interface configured on a device.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-dhcp2
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJX9RRvAAoJEK89gD3EAJB5MVEP/3Vx+EYmJR06nN7u3bJ09QcL
rCM8WkIN1l65nJOsefcneDlPoLDnob31KznL81u7gXtXuOptUD2sT0TsDePwKatT
otvhVQEu10tzOmDwStDjhNO6q5fsrExFMrdD/GwU8ZSWUlffWfMT22Ov4o31qck1
rMtE5Qs7G9oaSVNA+CkXcQijdhnkgBs3C51CumSHB1R7HkZcNJdPU7bOlU5lgb9p
1kzg60E4owVThLiGoG9CwBYoW9EhhkiUQCDiPui/cyp2SFuUeGdcz+hpX48Uf/0+
/2t2cqmibN44Yo/1NJytmEam4HhjF+rpPZBO2R/1/Woggh5id8FAGFmg2prcyM8Q
4/o9PZHFI61UrXAFIHyvEJGdrU5hCrGHaoOZMoY+TwCdmw+bvvYjGu1uSzK6An0L
PDzJkLVSwogr16dECgESt3BEA819it9r9M87c+oRp020aniWZnne39xuXnCA6oN1
3+183bnFKYpgdYrlDLNICOi2MdWsEAjxPFMI/zkHlQtqus4vkuWtSPkiC6+AlGeZ
9z8YEbpjFhfZjlhqnXd9jLNQLAxFGAGOcz3vndjNsIwLQmaN67+EIbtt30lxJ0Bq
JmtrsojSOx6VsH9JigAOxznLzF//R4reNopiVZqwvIAHpbE3CXjSmmp5601QPVK7
nsoocohg8L6C9yNvdQSU
=jkG4
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Cisco NX-OS Software-Based Products Authentication, Authorization, and Accounting Bypass Vulnerability
Advisory ID: cisco-sa-20161005-nxaaa
Revision: 1.0
For Public Release: 2016 October 5 16:00 GMT
+------------------------------------------------------------------------------
Summary
=======
A vulnerability in the SSH subsystem of the Cisco Nexus family of products could allow an authenticated, remote attacker to bypass authentication, authorization, and accounting (AAA) restrictions.
The vulnerability is due to the improper processing of certain parameters that are passed to an affected device during the negotiation of an SSH connection. An attacker could exploit this vulnerability by authenticating to an affected device and passing a malicious value as part of the login procedure. A successful exploit could allow an attacker to bypass AAA restrictions and execute commands on the device command-line interface (CLI) that should be restricted to a different privileged user role.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-nxaaa
- -----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJX9RRvAAoJEK89gD3EAJB50dgQAIrB5QpyIh8qhoZ2M5E5tHaU
8kp4One/3FfMzgACfWpMGR51Cwuz6janS3CvjsXdVv5G6NNlUmQr2DTq1/WOy18+
ZLPdrDUo9CCwOxCm8Xg4dWIud6KbioaVMTNdC5Ut7OvgkjxWkjkBZ2ZqELai5G9G
eZQ13hvNmUvNt0FH2Cd+fN+jyVv2Q4YYtPrwQ5028vSn/eESfxXi1/NZq5v/Qw9c
YYEonqDugjCEj0i3YfQU7gfSsOzSdZ3BG8l3LAFr4Ciw7yETDdm18oSUWM/D/1gf
O7bqpoEZ6lxBNEumfSJG/HHVMqVvYrORjmy4pSbtHq7gVCigqNCv7Bh9LaWnoy5g
E2bunRgPR1dtp+9a9mSFdrhyNYI04Eg7HcIcLSaDtdAHJVTNPJzFIZLF11qGpuQv
Fmy+F14rftAt6jOmuuBbYKh01bK+nfVSMATy4oLh8eCoxjwzHigbYG9gz3Ma9xEg
JZn4EytMq7PHeU8rlUS6BaeG4/SZJ5y9giXRmwFkkKtdXRWIIK54KZalYvgjz8GG
/5NqnoVJvL2ehr/c1E8c4x0XKKwkCd+6MwzXXfR3rgyXa35wLl7vbM0jI+RfJybS
Qiw8wDZ44v05TP91vxz6q/bh0KBUo+A0PmU9GDqQoJ5xAEUeYl5K+ugWGKAauDKR
WgrVbP4KcUSdQAj1zgZ0
=NOCy
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV/Ws84x+lLeg9Ub1AQhLiw/+NrlED64x8QzdEQ1KMWlEoTdzrrdhxT3Y
mhMUhimOPsz4bF/9mAEkOO+iakASzjqBZcqgpd3ASWvIAtwA6jjng6u/sBFwT875
9PdYwDmN5iHR/aT+RYB3ISXDU+o9Os4BZeNEshuCjmPobbl79TY31XGpRBOYMNVw
0t0jqd7A4fhyAmRngmld2BIoNfPaIL5nPjAaY9OzHgKIDGaeQuVgmkk5gez44JcB
S7AcVT8lImIMyXbX+PDlxcsTgWSMUX0xXSVLFKCn9QbfdO+q+C8JiwhsuJrDcwBn
F9DhXi/XWu3VRGn3FZWoRkqWXL/5P/DiLuARHX91sLk3C37JckS34Kb6KzqqXIIq
aFssSDlDPhEeVVLUlUPdPEv9QIK/nSzMzXIlfULZRz6yiUskUJMdld4dMS0ji13x
OTvWsnmOe8dtA1AzWvksq2I0OaXhJSu2wTqpKZD1VfG/hydi8IDC38nSpiD25FF2
4apsEoYsyiK+rqIB0GPyRKJUE2ruYdVdx5FjYVDgFbeQgziR2WvZ1CL/xOMofE7q
lQHCx8Cv4BUJCtjct0g77m/7yxGhCE5uaoglOrla/PbZ0CaBJTZi3ffnCPvqxT04
mqmb6KBGKlqBWzyLh+SM0yyGOWwThTZtP+UoyPfgfFibR5wY/oV0Qpm3SvWijBVx
jqm9AkHI1JY=
=bEdQ
-----END PGP SIGNATURE-----