Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0193.2
Multiple vulnerabilities have been identified in Cisco NX-OS Software
22 January 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco NX-OS Software
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-0102 CVE-2018-0092 CVE-2018-0090
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os
Comment: This bulletin contains three (3) Cisco Systems security advisories.
Revision History: January 22 2018: Nexus 9000 Series Switches in standalone NX-OS mode moved
from vulnerable to not vulnerable product list.
January 18 2018: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Security Advisory
Cisco NX-OS System Software Unauthorized User Account Deletion Vulnerability
Medium
Advisory ID: cisco-sa-20180117-nxos1
First Published: 2018 January 17 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs:
CSCvg21120
CVSS Score:
Base 6.1
Base 6.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:X/RL:X/RC:X
CVE-2018-0092
CWE-264
Summary
A vulnerability in the network-operator user role implementation for Cisco
NX-OS System Software could allow an authenticated, local attacker to
improperly delete valid user accounts. The network-operator role should not be
able to delete other configured users on the device.
The vulnerability is due to a lack of proper role-based access control (RBAC)
checks for the actions that a user with the network-operator role is allowed
to perform. An attacker could exploit this vulnerability by authenticating to
the device with user credentials that give that user the network-operator
role. Successful exploitation could allow the attacker to impact the integrity
of the device by deleting configured user credentials. The attacker would need
valid user credentials for the device.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1
Affected Products
Vulnerable Products
This vulnerability affects the following Cisco products running Cisco NX-OS
System Software:
Nexus 3000 Series Switches
Nexus 3600 Platform Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Line Cards and Fabric Modules
For information about affected software releases, consult the Cisco bug ID(s)
at the top of this advisory.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this
vulnerability.
The following Cisco products are not affected by this vulnerability:
Firepower 2100 Series
Firepower 4100 Series Next-Generation Firewall
Firepower 9300 Security Appliance
Multilayer Director Switches
Nexus 1000V Series Switches
Nexus 1100 Series Cloud Services Platforms
Nexus 2000 Series Switches
Nexus 3500 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI)
mode
Unified Computing System (UCS) 6100 Series Fabric Interconnects
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
Workarounds
There are no workarounds that address this vulnerability.
Fixed Software
For information about fixed software releases, consult the Cisco bug ID(s) at
the top of this advisory.
When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade
solution.
In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance providers.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.
Source
This vulnerability was found during resolution of a Cisco TAC support case.
URL
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1
Revision History
+---------+-------------------------+--------------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------+--------------+--------+-----------------+
| 1.0 | Initial public release. | -- | Final | 2018-January-17|
+---------+-------------------------+--------------+--------+-----------------+
LEGAL DISCLAIMER
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end
users of Cisco products.
- ---
Cisco Security Advisory
Cisco NX-OS System Software Management Interface Denial of Service
Vulnerability
Medium
Advisory ID:
cisco-sa-20180117-nxos
First Published:
2018 January 17 16:00 GMT
Last Updated:
2018 January 19 21:29 GMT
Version 1.1:
Final
Workarounds:
No workarounds available
Cisco Bug IDs:
CSCvf31132
CVE-2018-0090
CWE-20
CVSS Score:
Base 5.3[blue-squar]Click Icon to Copy Verbose Score
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X
CVE-2018-0090
CWE-20
Summary
o A vulnerability in management interface access control list (ACL)
configuration of Cisco NX-OS System Software could allow an
unauthenticated, remote attacker to bypass configured ACLs on the
management interface. This could allow traffic to be forwarded to the NX-OS
CPU for processing, leading to high CPU utilization and a denial of service
(DoS) condition.
The vulnerability is due to a bad code fix in the 7.3.2 code train that
could allow traffic to the management interface to be misclassified and not
match the proper configured ACLs. An attacker could exploit this
vulnerability by sending crafted traffic to the management interface. An
exploit could allow the attacker to bypass the configured management
interface ACLs and impact the CPU of the targeted device, resulting in a
DoS condition.
There are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20180117-nxos
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products running Cisco NX-OS
System Software:
Multilayer Director Switches
Nexus 2000 Series Switches
Nexus 3000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
For information about affected software releases, consult the Cisco bug ID
(s) at the top of this advisory.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this
vulnerability.
The following Cisco products are not affected by this vulnerability:
Firepower 2100 Series
Firepower 4100 Series Next-Generation Firewall
Firepower 9300 Security Appliance
Nexus 1000V Series Switches
Nexus 1100 Series Cloud Services Platforms
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Nexus 9500 R-Series Line Cards and Fabric Modules
Unified Computing System (UCS) 6100 Series Fabric Interconnects
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o For information about fixed software releases, consult the Cisco bug ID(s)
at the top of this advisory.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during resolution of a Cisco TAC support case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
o Subscribe
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20180117-nxos
Revision History
o
+---------+-------------------------+--------------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------+--------------+--------+-----------------+
| | Nexus 9000 Series | Vulnerable | | |
| | Switches in standalone | Products, | | |
| 1.1 | NX-OS mode moved from | Products | Final | 2018-January-19 |
| | vulnerable to not | Confirmed | | |
| | vulnerable product | Not | | |
| | list. | Vulnerable | | |
+---------+-------------------------+--------------+--------+-----------------+
| 1.0 | Initial public release. | -- | Final | 2018-January-17 |
+---------+-------------------------+--------------+--------+-----------------+
Show Less
Legal Disclaimer
o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information
or contain factual errors. The information in this document is intended for
end users of Cisco products.
- ---
isco Security Advisory
Cisco NX-OS Software Pong Packet Denial of Service Vulnerability
High
Advisory ID: cisco-sa-20180117-nx-os
First Published: 2018 January 17 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs:
CSCuv98660
CVSS Score:
Base 7.4
Base 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
CVE-2018-0102
CWE-399
Summary
A vulnerability in the Pong tool of Cisco NX-OS Software could allow an
unauthenticated, adjacent attacker to cause a reload of an affected device,
resulting in a denial of service (DoS) condition.
The vulnerability exists because the affected software attempts to free the
same area of memory twice. An attacker could exploit this vulnerability by
sending a pong request to an affected device from a location on the network
that causes the pong reply packet to egress both a FabricPath port and a
non-FabricPath port. An exploit could allow the attacker to cause a dual or
quad supervisor virtual port-channel (vPC) to reload.
Note: This vulnerability is exploitable only when all of the following are
true:
The Pong tool is enabled on an affected device. The Pong tool is disabled in
NX-OS by default.
The FabricPath feature is enabled on an affected device. The FabricPath
feature is disabled in NX-OS by default.
A FabricPath port is actively monitored via a Switched Port Analyzer (SPAN)
session. SPAN sessions are not configured or enabled in NX-OS by default.
Cisco has released software updates that address this vulnerability. There are
no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os
Affected Products
Vulnerable Products
This vulnerability affects the following products when running Cisco NX-OS
Software Release 7.2(1)D(1), 7.2(2)D1(1), or 7.2(2)D1(2) with both the Pong
and FabricPath features enabled and the FabricPath port is actively monitored
via a SPAN session:
Cisco Nexus 7000 Series Switches
Cisco Nexus 7700 Series Switches
To determine whether a device is running a vulnerable release of Cisco NX-OS
Software, administrators can use the show version command in the NX-OS
command-line interface (CLI).
The following example shows the output of the show version command for a Cisco
Nexus 7000 Series Switch running Cisco NX-OS Software Release 7.2(2)D1(2):
Nexus# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Documents:
http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html
Copyright (c) 2002-2016, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
Software
BIOS: version 2.12.0
kickstart: version 7.2(2)D1(2)
system: version 7.2(2)D1(2)
To determine whether a device has the Pong tool enabled, administrators can
use the show running-config | include "feature pong" command in the NX-OS CLI.
The following example shows the output of this command for a Cisco Nexus 7000
Series Switch that has the Pong tool enabled (if this command returns empty
output the Pong tool is not enabled):
Nexus# show running-config | include "feature pong"
feature pong
To determine whether a device has the FabricPath feature enabled,
administrators can use the show running-config | include "feature-set
fabricpath" command in the NX-OS CLI. The following example shows the output
of this command for a Cisco Nexus 7000 Series Switch that has the FabricPath
feature enabled (if this command returns empty output, the FabricPath feature
is not enabled):
Nexus# show running-config | include "feature-set fabricpath"
feature-set fabricpath
To determine whether a device has a SPAN session configured, administrators
can use the show running-config monitor command in NX-OS CLI. The following
example shows the output of this command for a Cisco Nexus 7000 Series Switch
that has a SPAN session monitoring interface Ethernet 1/10 configured and
enabled (if this command returns empty output, no SPAN session is configured):
Nexus# show running-config monitor
!Command: show running-config monitor
!Time: Mon Oct 9 12:04:52 2017
version 7.2(2)D1(2)
monitor session 1
source interface Ethernet1/10 both
destination interface Ethernet1/12 no shut
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this
vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco NX-OS
Software Releases 7.2(0)D1(1) and earlier.
Cisco has confirmed that this vulnerability does not affect Cisco Multilayer
Director Switches as the affected NX-OS releases are not available for this
platform.
Details
The Pong tool utilizes synchronized clocks on the network to measure real-time
latency. Latency is the delay of the network between any two points as seen by
a frame traveling between the two points. Pong measures port-to-port delays
and is similar to the network-monitoring utility Ping but provides for a
greater depth of network diagnostics.
Indicators of Compromise
Exploitation of this vulnerability will cause an affected device to reload and
generate a pong core file. Contact the Cisco Technical Assistance Center (TAC)
to review the core file and determine whether the device has been compromised
by exploitation of this vulnerability.
Workarounds
There are no workarounds that address this vulnerability.
Fixed Software
Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support for
software versions and feature sets for which they have purchased a license. By
installing, downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid
license, procured from Cisco directly, or through a Cisco authorized reseller
or partner. In most cases this will be a maintenance upgrade to software that
was previously purchased. Free security software updates do not entitle
customers to a new software license, additional software feature sets, or
major revision upgrades.
When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade
solution.
In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release. If
the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should
obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to
provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
This vulnerability is fixed in Cisco NX-OS Software Releases 7.3(0)D1(1) and
later.
The software can be downloaded from the Software Center on Cisco.com by
navigating to Products > Switches > Data Center Switches > Nexus 7000 Series
Switches.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described
in this advisory.
Source
This vulnerability was found during the resolution of a Cisco TAC support
case.
URL
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os
+---------+-------------------------+--------------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------+--------------+--------+-----------------+
| 1.0 | Initial public release. | -- | Final | 2018-January-17|
+---------+-------------------------+--------------+--------+-----------------+
LEGAL DISCLAIMER
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end
users of Cisco products.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWmU1bIx+lLeg9Ub1AQgjKA//ZTfuoMrLRTemQm/6JtFeV9+d8Hq9wfMK
U3Blo7uUgzn/kzGGY1jrSnLsC/06LfTKcx8Yn5yYO7kG5WY9u46cujzvDlJh3lGi
mR+tHP4Yx7iGGGMz/YTGWmk+KlEUg34+xa2oOg8ph+7ZkLhpONbfJiwN6Is6hzbJ
1QlmuZAlRHhoPe2rqECax/Swkv1YkOOfIzEHp3MA+eMlk3PZXPnZNUqgJVKUKfxg
xK9ffEG1wZpZIEQRvO9DZu60HEkRL7PCLB22Eh9iuUicZ/0xWRoXU86gDo43y+Vh
Dbas9lpPzObopInaB5eW5PYYwPe7b/0OheCBVLrtbn0s788gBow9IIwaGrwdSw06
o6X20IusDm8A9d/+tMlYz6j1H27/oHY5C3ev4cQ+lAcSd/+r0TKz5s1XhJJPlO3O
3EXEyPBjymSl5dAw7LHBuAiHhx86uR56bYqV/PB/ZOve8ZRXSXxzCxF9aYBf2AqL
WrD62BhdyukkeRxybtxGcTveRXZCfdDXW73P+hs8DH2lH98q4hEUAZ3WRp+zphDQ
jjHdH4s5QcuRVoWmzkUyiSC4wSuBxLuxEV5tcdN+Jv3ShsLigYaB/QTXMlHs1Yw+
Gji1DvuNWFRTeFGvgDVphWpWWOKi668VJelDgHVPa2/Tm/wpDs0fLEZAfGcwbvhh
CAIiYsM3yyk=
=ydo3
-----END PGP SIGNATURE-----