Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3143
Cisco NX-OS Software Authenticated Simple Network Management
Protocol Denial of Service Vulnerability
18 October 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco NX-OS Software
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-0456
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nxos-snmp
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco NX-OS Software Authenticated Simple Network Management Protocol Denial of
Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20181017-nxos-snmp
First Published: 2018 October 17 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvj70029
CVE-2018-0456
CWE-20
CVSSÂ Score:
7.7 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Simple Network Management Protocol (SNMP) input
packet processor of Cisco NX-OS Software could allow an authenticated,
remote attacker to cause the SNMP application of an affected device to
restart unexpectedly.
The vulnerability is due to improper validation of SNMP protocol data
units (PDUs) in SNMP packets. An attacker could exploit this vulnerability
by sending a crafted SNMP packet to an affected device. A successful
exploit could allow the attacker to cause the SNMP application to restart
multiple times, leading to a system-level restart and a denial of service
(DoS) condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nxos-snmp
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are
running a vulnerable release of Cisco NX-OS Software:
Nexus 3000 Series Switches
Nexus 3600 Platform Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Line Cards and Fabric Modules
The only vulnerable software release for Nexus 3000 Series Switches and
for Nexus 9000 Series Switches in standalone NX-OS mode is 7.0(3)I7(3).
The only vulnerable software release for Nexus 3600 Platform Switches and
Nexus 9500 R-Series Line Cards and Fabric Modules is 7.0(3)F3(4).
Refer to the Fixed Software section of this security advisory for more
information about affected releases.
Determining the Status of SNMP
Administrators can determine whether SNMP is running on a device by using
the show running-config snmp command in the device CLI. If the command
returns output, SNMP is configured.
nxos-switch# show running-config snmp
.
.
.
snmp-server user admin network-admin auth md5 ***** priv ***** localizedkey
snmp-server community community-string group network-admin
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Firepower 4100 Series Next-Generation Firewall
Firepower 9300 Security Appliance
MDS 9000 Series Multilayer Switches
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 2000 Series Switches
Nexus 3500 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric
Infrastructure (ACI) mode
Unified Computing System (UCS) 6100 Series Fabric Interconnects
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Details
o SNMP is an application-layer protocol that provides a standardized
framework and a common language for monitoring and managing devices in a
network. It defines a message format for communication between SNMP
managers and agents.
An SNMP agent gathers data from the SNMP MIB, which is the repository of
information about device parameters and network data. It also responds to
requests from an SNMP manager to get or set data. An SNMP agent contains
MIB variables for which values can be requested or changed by an SNMP
manager by using get or set operations.
This vulnerability affects all versions of SNMP supported on the
device--Versions 1, 2c, and 3. An attacker could exploit this vulnerability
by sending a specific SNMP packet to an affected device via IPv4 or IPv6.
Only traffic directed to the affected system can be used to exploit this
vulnerability.
To exploit this vulnerability via SNMP Version 2c or earlier, the attacker
must know the SNMP read-only community string for the affected system. A
community string is a password that is applied to a device to restrict
both read-only and read-write access to the SNMP data on the device. These
community strings, as with all passwords, should be chosen carefully to
ensure that they are not trivial. They should also be changed at regular
intervals and in accordance with network security policies. For example,
the strings should be changed when a network administrator changes roles
or leaves the organization.
To exploit this vulnerability via SNMP Version 3, the attacker must have
user credentials for the affected system.
Workarounds
o There are no workarounds that address this vulnerability.
As a mitigation for the vulnerability that is described in this advisory,
administrators can configure an access control list (ACL) on an SNMP
community. This ACL will filter incoming SNMP requests to ensure that SNMP
polling is performed only by trusted SNMP clients. In the following
example, the device will accept incoming SNMP requests only from the
trusted hosts 192.168.1.2 and 192.168.1.3:
switch# show access-list acl_for_snmp
IPV4 ACL acl_for_snmp
10 permit udp 192.168.1.2/32 192.168.1.3/32 eq snmp
To implement the preceding ACL, administrators can add it to the
snmp-server community configuration command:
switch# show running-config snmp
snmp-server community mycompany
use-acl acl_for_snmp
For additional information about configuring ACLs to filter incoming SNMP
requests, see Filtering SNMP Requests in the Cisco NX-OS configuration
guide.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page, to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the
Cisco Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/
c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
In the following tables, the left column lists releases of Cisco NX-OS
Software. The right column indicates whether a release is affected by the
vulnerability described in this advisory and the first release that
includes the fix for this vulnerability.
Nexus 3000 Series Switches and 9000 Series Switches in Standalone NX-OS
Mode: CSCvj70029
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.0(3)I5 Not vulnerable
7.0(3)I5 Not vulnerable
7.0(3)I6 Not vulnerable
7.0(3)I7 7.0(3)I7(4)
9.2(1) Not vulnerable
Nexus 3600 Platform Switches and 9500 R-Series Line Cards and Fabric
Modules: CSCvj70029
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3) Software Maintenance Upgrades (SMUs) 7.0(3)F3(4)
9.2(1) Not vulnerable
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy. This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Subscribe to Cisco Security Notifications
o Subscribe
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nxos-snmp
Revision History
o
+----------+---------------------------+----------+--------+------------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+------------------+
| 1.0 | Initial public release. | - | Final | 2018-October-17 |
+----------+---------------------------+----------+--------+------------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW8fYaWaOgq3Tt24GAQiKCg/+NKVQt/YnUCG2TvIouQhatGcYziuXENw2
sTB6Xu1IQd+5NL6ZkvZSK2mGbNoc13KxilxZas4rJ7o5DjAmesdeda81CVAOe8uU
do+1qXYFLam29R24X2xuWwptnbJvrS4magp3Q3FcMSxvn0n4mcR2zy9/trVZzoZ5
hyQFbAEw4pWGx1BaTbhWBvF+P3Uy8yI3AtPnuMxUw2u3doL/tkxGgyRArkdxzyFe
6cInQGy82K93QJuj9UOww4ZmVy+bEyv1Qi+dwHXVKlq2jdtGaU758x+vZYlXhGzc
Lt32K1mlVugJ1aE+e2SoHgXEBXbga6F/WxUMc9ljq0zace5a/dB0R5nDrSOPvKXu
MCWfRGTcIevg9uFf1tl0Y6w+Op5THZDzLzEZGDDwf60wEkuvvRpQj7ErkqVbU8ds
+Le/vDun2oTuDuuvBKmDTulQvXRZMkmcyUTX3F00XayOV2+uIsFY3AZgA6AD8W4U
V1kbKo+mCk6YDlN6K99kKxLgT3CK9dm8F8zgbZiZokZo/Ge/KwSFakVpUNl6k+9L
BPbZVUWoaFf7YR5twVkN9rgDwMFwAuyw/4w9OyYI/wEfBE2XlRQvZVFZ/TYM3k9e
p3MJAGwCqDgeMi5PAFZQ61R4NfpbAZRaj9DFeJ0BvzS1a2f7i38G7GW/wa7kUvAX
Q/d7FA5Q2Yc=
=Vgx2
-----END PGP SIGNATURE-----