Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0193.2 Multiple vulnerabilities have been identified in Cisco NX-OS Software 22 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco NX-OS Software Publisher: Cisco Systems Operating System: Cisco Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-0102 CVE-2018-0092 CVE-2018-0090 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os Comment: This bulletin contains three (3) Cisco Systems security advisories. Revision History: January 22 2018: Nexus 9000 Series Switches in standalone NX-OS mode moved from vulnerable to not vulnerable product list. January 18 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Security Advisory Cisco NX-OS System Software Unauthorized User Account Deletion Vulnerability Medium Advisory ID: cisco-sa-20180117-nxos1 First Published: 2018 January 17 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvg21120 CVSS Score: Base 6.1 Base 6.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:X/RL:X/RC:X CVE-2018-0092 CWE-264 Summary A vulnerability in the network-operator user role implementation for Cisco NX-OS System Software could allow an authenticated, local attacker to improperly delete valid user accounts. The network-operator role should not be able to delete other configured users on the device. The vulnerability is due to a lack of proper role-based access control (RBAC) checks for the actions that a user with the network-operator role is allowed to perform. An attacker could exploit this vulnerability by authenticating to the device with user credentials that give that user the network-operator role. Successful exploitation could allow the attacker to impact the integrity of the device by deleting configured user credentials. The attacker would need valid user credentials for the device. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1 Affected Products Vulnerable Products This vulnerability affects the following Cisco products running Cisco NX-OS System Software: Nexus 3000 Series Switches Nexus 3600 Platform Switches Nexus 9000 Series Switches in standalone NX-OS mode Nexus 9500 R-Series Line Cards and Fabric Modules For information about affected software releases, consult the Cisco bug ID(s) at the top of this advisory. Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by this vulnerability. The following Cisco products are not affected by this vulnerability: Firepower 2100 Series Firepower 4100 Series Next-Generation Firewall Firepower 9300 Security Appliance Multilayer Director Switches Nexus 1000V Series Switches Nexus 1100 Series Cloud Services Platforms Nexus 2000 Series Switches Nexus 3500 Platform Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 7700 Series Switches Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode Unified Computing System (UCS) 6100 Series Fabric Interconnects UCS 6200 Series Fabric Interconnects UCS 6300 Series Fabric Interconnects Workarounds There are no workarounds that address this vulnerability. Fixed Software For information about fixed software releases, consult the Cisco bug ID(s) at the top of this advisory. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was found during resolution of a Cisco TAC support case. URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1 Revision History +---------+-------------------------+--------------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+-------------------------+--------------+--------+-----------------+ | 1.0 | Initial public release. | -- | Final | 2018-January-17| +---------+-------------------------+--------------+--------+-----------------+ LEGAL DISCLAIMER THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --- Cisco Security Advisory Cisco NX-OS System Software Management Interface Denial of Service Vulnerability Medium Advisory ID: cisco-sa-20180117-nxos First Published: 2018 January 17 16:00 GMT Last Updated: 2018 January 19 21:29 GMT Version 1.1: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvf31132 CVE-2018-0090 CWE-20 CVSS Score: Base 5.3[blue-squar]Click Icon to Copy Verbose Score CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X CVE-2018-0090 CWE-20 Summary o A vulnerability in management interface access control list (ACL) configuration of Cisco NX-OS System Software could allow an unauthenticated, remote attacker to bypass configured ACLs on the management interface. This could allow traffic to be forwarded to the NX-OS CPU for processing, leading to high CPU utilization and a denial of service (DoS) condition. The vulnerability is due to a bad code fix in the 7.3.2 code train that could allow traffic to the management interface to be misclassified and not match the proper configured ACLs. An attacker could exploit this vulnerability by sending crafted traffic to the management interface. An exploit could allow the attacker to bypass the configured management interface ACLs and impact the CPU of the targeted device, resulting in a DoS condition. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20180117-nxos Affected Products o Vulnerable Products This vulnerability affects the following Cisco products running Cisco NX-OS System Software: Multilayer Director Switches Nexus 2000 Series Switches Nexus 3000 Series Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 7700 Series Switches For information about affected software releases, consult the Cisco bug ID (s) at the top of this advisory. Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by this vulnerability. The following Cisco products are not affected by this vulnerability: Firepower 2100 Series Firepower 4100 Series Next-Generation Firewall Firepower 9300 Security Appliance Nexus 1000V Series Switches Nexus 1100 Series Cloud Services Platforms Nexus 3500 Platform Switches Nexus 3600 Platform Switches Nexus 9000 Series Switches in standalone NX-OS mode Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode Nexus 9500 R-Series Line Cards and Fabric Modules Unified Computing System (UCS) 6100 Series Fabric Interconnects UCS 6200 Series Fabric Interconnects UCS 6300 Series Fabric Interconnects Workarounds o There are no workarounds that address this vulnerability. Fixed Software o For information about fixed software releases, consult the Cisco bug ID(s) at the top of this advisory. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Subscribe to Cisco Security Notifications o Subscribe URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20180117-nxos Revision History o +---------+-------------------------+--------------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+-------------------------+--------------+--------+-----------------+ | | Nexus 9000 Series | Vulnerable | | | | | Switches in standalone | Products, | | | | 1.1 | NX-OS mode moved from | Products | Final | 2018-January-19 | | | vulnerable to not | Confirmed | | | | | vulnerable product | Not | | | | | list. | Vulnerable | | | +---------+-------------------------+--------------+--------+-----------------+ | 1.0 | Initial public release. | -- | Final | 2018-January-17 | +---------+-------------------------+--------------+--------+-----------------+ Show Less Legal Disclaimer o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --- isco Security Advisory Cisco NX-OS Software Pong Packet Denial of Service Vulnerability High Advisory ID: cisco-sa-20180117-nx-os First Published: 2018 January 17 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCuv98660 CVSS Score: Base 7.4 Base 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X CVE-2018-0102 CWE-399 Summary A vulnerability in the Pong tool of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a reload of an affected device, resulting in a denial of service (DoS) condition. The vulnerability exists because the affected software attempts to free the same area of memory twice. An attacker could exploit this vulnerability by sending a pong request to an affected device from a location on the network that causes the pong reply packet to egress both a FabricPath port and a non-FabricPath port. An exploit could allow the attacker to cause a dual or quad supervisor virtual port-channel (vPC) to reload. Note: This vulnerability is exploitable only when all of the following are true: The Pong tool is enabled on an affected device. The Pong tool is disabled in NX-OS by default. The FabricPath feature is enabled on an affected device. The FabricPath feature is disabled in NX-OS by default. A FabricPath port is actively monitored via a Switched Port Analyzer (SPAN) session. SPAN sessions are not configured or enabled in NX-OS by default. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os Affected Products Vulnerable Products This vulnerability affects the following products when running Cisco NX-OS Software Release 7.2(1)D(1), 7.2(2)D1(1), or 7.2(2)D1(2) with both the Pong and FabricPath features enabled and the FabricPath port is actively monitored via a SPAN session: Cisco Nexus 7000 Series Switches Cisco Nexus 7700 Series Switches To determine whether a device is running a vulnerable release of Cisco NX-OS Software, administrators can use the show version command in the NX-OS command-line interface (CLI). The following example shows the output of the show version command for a Cisco Nexus 7000 Series Switch running Cisco NX-OS Software Release 7.2(2)D1(2): Nexus# show version Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Documents: http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html Copyright (c) 2002-2016, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php Software BIOS: version 2.12.0 kickstart: version 7.2(2)D1(2) system: version 7.2(2)D1(2) To determine whether a device has the Pong tool enabled, administrators can use the show running-config | include "feature pong" command in the NX-OS CLI. The following example shows the output of this command for a Cisco Nexus 7000 Series Switch that has the Pong tool enabled (if this command returns empty output the Pong tool is not enabled): Nexus# show running-config | include "feature pong" feature pong To determine whether a device has the FabricPath feature enabled, administrators can use the show running-config | include "feature-set fabricpath" command in the NX-OS CLI. The following example shows the output of this command for a Cisco Nexus 7000 Series Switch that has the FabricPath feature enabled (if this command returns empty output, the FabricPath feature is not enabled): Nexus# show running-config | include "feature-set fabricpath" feature-set fabricpath To determine whether a device has a SPAN session configured, administrators can use the show running-config monitor command in NX-OS CLI. The following example shows the output of this command for a Cisco Nexus 7000 Series Switch that has a SPAN session monitoring interface Ethernet 1/10 configured and enabled (if this command returns empty output, no SPAN session is configured): Nexus# show running-config monitor !Command: show running-config monitor !Time: Mon Oct 9 12:04:52 2017 version 7.2(2)D1(2) monitor session 1 source interface Ethernet1/10 both destination interface Ethernet1/12 no shut Products Confirmed Not Vulnerable No other Cisco products are currently known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect Cisco NX-OS Software Releases 7.2(0)D1(1) and earlier. Cisco has confirmed that this vulnerability does not affect Cisco Multilayer Director Switches as the affected NX-OS releases are not available for this platform. Details The Pong tool utilizes synchronized clocks on the network to measure real-time latency. Latency is the delay of the network between any two points as seen by a frame traveling between the two points. Pong measures port-to-port delays and is similar to the network-monitoring utility Ping but provides for a greater depth of network diagnostics. Indicators of Compromise Exploitation of this vulnerability will cause an affected device to reload and generate a pong core file. Contact the Cisco Technical Assistance Center (TAC) to review the core file and determine whether the device has been compromised by exploitation of this vulnerability. Workarounds There are no workarounds that address this vulnerability. Fixed Software Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases This vulnerability is fixed in Cisco NX-OS Software Releases 7.3(0)D1(1) and later. The software can be downloaded from the Software Center on Cisco.com by navigating to Products > Switches > Data Center Switches > Nexus 7000 Series Switches. Exploitation and Public Announcements The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source This vulnerability was found during the resolution of a Cisco TAC support case. URL https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os +---------+-------------------------+--------------+--------+-----------------+ | Version | Description | Section | Status | Date | +---------+-------------------------+--------------+--------+-----------------+ | 1.0 | Initial public release. | -- | Final | 2018-January-17| +---------+-------------------------+--------------+--------+-----------------+ LEGAL DISCLAIMER THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWmU1bIx+lLeg9Ub1AQgjKA//ZTfuoMrLRTemQm/6JtFeV9+d8Hq9wfMK U3Blo7uUgzn/kzGGY1jrSnLsC/06LfTKcx8Yn5yYO7kG5WY9u46cujzvDlJh3lGi mR+tHP4Yx7iGGGMz/YTGWmk+KlEUg34+xa2oOg8ph+7ZkLhpONbfJiwN6Is6hzbJ 1QlmuZAlRHhoPe2rqECax/Swkv1YkOOfIzEHp3MA+eMlk3PZXPnZNUqgJVKUKfxg xK9ffEG1wZpZIEQRvO9DZu60HEkRL7PCLB22Eh9iuUicZ/0xWRoXU86gDo43y+Vh Dbas9lpPzObopInaB5eW5PYYwPe7b/0OheCBVLrtbn0s788gBow9IIwaGrwdSw06 o6X20IusDm8A9d/+tMlYz6j1H27/oHY5C3ev4cQ+lAcSd/+r0TKz5s1XhJJPlO3O 3EXEyPBjymSl5dAw7LHBuAiHhx86uR56bYqV/PB/ZOve8ZRXSXxzCxF9aYBf2AqL WrD62BhdyukkeRxybtxGcTveRXZCfdDXW73P+hs8DH2lH98q4hEUAZ3WRp+zphDQ jjHdH4s5QcuRVoWmzkUyiSC4wSuBxLuxEV5tcdN+Jv3ShsLigYaB/QTXMlHs1Yw+ Gji1DvuNWFRTeFGvgDVphWpWWOKi668VJelDgHVPa2/Tm/wpDs0fLEZAfGcwbvhh CAIiYsM3yyk= =ydo3 -----END PGP SIGNATURE-----