Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0701.2
Cisco Nexus 9000 Series Switches Multiple Vulnerabilities
20 March 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Nexus 9000 Switches
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Root Compromise -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1618 CVE-2019-1617 CVE-2019-1591
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-tetra-ace
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-npv-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-aci-shell-escape
Revision History: March 20 2019: Updated cisco-sa-20190306-aci-shell-escape
March 7 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco Nexus 9000 Series Switches Standalone NX-OS Mode Tetration Analytics
Agent Arbitrary Code Execution Vulnerability
Priority: High
Advisory ID: cisco-sa-20190306-tetra-ace
First Published: 2019 March 6 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvh21898
CVE-2019-1618
CWE-275
CVSS Score:
7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Tetration Analytics agent for Cisco Nexus 9000
Series Switches in standalone NX-OS mode could allow an authenticated,
local attacker to execute arbitrary code as root .
The vulnerability is due to an incorrect permissions setting. An attacker
could exploit this vulnerability by replacing valid agent files with
malicious code. A successful exploit could result in the execution of code
supplied by the attacker.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190306-tetra-ace
This advisory is part of the March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication, which includes 25 Cisco Security
Advisories that describe 26 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: March 2019 Cisco
FXOS and NX-OS Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects Cisco Nexus 9000 Series Switches in standalone
NX-OS mode that are running a vulnerable release of Cisco NX-OS Software.
For information about which Cisco NX-OS Software releases are vulnerable,
see the Fixed Software section of this advisory.
Note: Only affected devices with Feature Analytics enabled are vulnerable.
To verify whether Feature Analytics is enabled, administrators can execute
the show feature CLI command. The following example shows the output of
this command on a device with this feature disabled:
N9K-A# show feature
Feature Name Instance State
-------------------- -------- --------
analytics 1 disabled
Determining the Cisco NX-OS Software Release
Administrators can check the release of Cisco NX-OS Software that is
running on a device by using the show version command in the device CLI.
The following example shows the output of this command on a device that is
running Cisco NX-OS Software Release 7.0(3)I5(1) :
nxos-switch# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (C) 2002-2016, Cisco and/or its affiliates.
All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under their own
licenses, such as open source. This software is provided "as is," and
unless otherwise stated, there is no warranty, express or implied,
including but not limited to warranties of merchantability and fitness
for a particular purpose. Certain components of this software are
licensed under the GNU General Public License (GPL) version 2.0 or
GNU General Public License (GPL) version 3.0 or the GNU
Lesser General Public License (LGPL) Version 2.1 or
Lesser General Public License (LGPL) Version 2.0.
A copy of each such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://opensource.org/licenses/gpl-3.0.html and
http://www.opensource.org/licenses/lgpl-2.1.php and
http://www.gnu.org/licenses/old-licenses/library.txt.
Software
BIOS: version 07.57
NXOS: version 7.0(3)I5(1) [build 7.0(3)I5(0.9)]
BIOS compile time: 06/29/2016
NXOS image file is: bootflash:///nxos.7.0.3.I5.0.9.bin
NXOS compile time: 8/1/2016 23:00:00 [08/02/2016 00:30:32]
.
.
.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series Firewalls
Firepower 4100 Series Next-Generation Firewalls
Firepower 9300 Security Appliance
MDS 9000 Series Multilayer Switches
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 2000 Series Fabric Extenders
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Nexus 9500 R-Series Line Cards and Fabric Modules
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in
the applicable table in this section. To help ensure a complete upgrade
solution, customers should consider that this advisory is part of a bundled
publication. The following page provides a complete list of bundle
advisories: Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication .
In the following tables, the left column lists releases of Cisco FXOS
Software or Cisco NX-OS Software. The center column indicates whether a
release is affected by the vulnerability described in this advisory and the
first release that includes the fix for this vulnerability. The right
column indicates whether a release is affected by all the vulnerabilities
described in this bundle and which release includes fixes for those
vulnerabilities.
Although the releases listed in the right column of each table include
fixes for the vulnerabilities, the fix related to the Cisco NX-OS Software
Image Signature Verification Vulnerability requires a BIOS upgrade as part
of the software upgrade. Customers who are upgrading the software for any
of the following products are advised to refer to this advisory for further
details about the BIOS upgrade and affected product IDs and BIOS versions:
Nexus 3000 Series Switches
Nexus 9000 Series Fabric Switches in ACI mode
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Line Cards and Fabric Modules
Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvh21898
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Prior to 7.0 Not vulnerable 7.0(3)I7(6)
(3)I4
7.0(3)I4 7.0(3)I7(5) 7.0(3)I7(6)
7.0(3)I5 7.0(3)I7(5) 7.0(3)I7(6)
7.0(3)I6 7.0(3)I7(5) 7.0(3)I7(6)
7.0(3)I7 7.0(3)I7(5) 7.0(3)I7(6)
9.2 Not vulnerable 9.2(2)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security
Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190306-tetra-ace
Revision History
o +---------+--------------------------+---------+--------+----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+----------------+
| 1.0 | Initial public release. | - | Final | 2019-March-06 |
+---------+--------------------------+---------+--------+----------------+
===============================================================================
Cisco Nexus 9000 Series Switches Standalone NX-OS Mode Fibre Channel over
Ethernet NPV Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20190306-nxos-npv-dos
First Published: 2019 March 6 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvk44504
CVE-2019-1617
CWE-913
CVSS Score:
7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Fibre Channel over Ethernet (FCoE) N-port
Virtualization (NPV) protocol implementation in Cisco NX-OS Software could
allow an unauthenticated, adjacent attacker to cause a denial of service
(DoS) condition.
The vulnerability is due to an incorrect processing of FCoE packets when
the fcoe-npv feature is uninstalled. An attacker could exploit this
vulnerability by sending a stream of FCoE frames from an adjacent host to
an affected device. An exploit could allow the attacker to cause packet
amplification to occur, resulting in the saturation of interfaces and a DoS
condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190306-nxos-npv-dos
This advisory is part of the March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication, which includes 25 Cisco Security
Advisories that describe 26 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: March 2019 Cisco
FXOS and NX-OS Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco NX-OS Software:
Nexus 9000 Series Switches in standalone NX-OS mode
Only the following Nexus 9000 Series PIDs are vulnerable:
N9K-C92160YC-X
N9K-C9272Q
N9K-C9236C
N9K-C93180YC-EX
N9K-X9732C-EX
N9K-C93180LC-EX
N9K-C93180YC-FX
N9K-X9736C-FX
To view the PIDs of the system, use the show inventory CLI command:
9K-A# show inventory
NAME: "Chassis", DESCR: "Nexus9000 C93128TX Chassis"
PID: N9K-C93128TX , VID: V02 , SN: SAL1822TF13
NAME: "Slot 1", DESCR: "1/10G-T Ethernet Module"
PID: N9K-C93128TX , VID: V02 , SN: SAL1822TF13
NAME: "Slot 2", DESCR: "40G Ethernet Expansion Module"
PID: N9K-M12PQ , VID: V01 , SN: SAL1910AMHD
Note: For this vulnerability to occur, all of the following conditions must
be met:
The affected devices are configured as vPC peer switches.
The fcoe-npv feature must be uninstalled.
See Details for more information.
For information about which Cisco NX-OS Software releases are vulnerable,
see the Fixed Software section of this advisory.
Determining the Cisco NX-OS Software Release
Administrators can check the release of Cisco NX-OS Software that is
running on a device by using the show version command in the device CLI.
The following example shows the output of this command on a device that is
running Cisco NX-OS Software Release 7.0(3)I5(1) :
nxos-switch# show version
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (C) 2002-2016, Cisco and/or its affiliates.
All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under their own
licenses, such as open source. This software is provided "as is," and
unless otherwise stated, there is no warranty, express or implied,
including but not limited to warranties of merchantability and fitness
for a particular purpose. Certain components of this software are
licensed under the GNU General Public License (GPL) version 2.0 or
GNU General Public License (GPL) version 3.0 or the GNU
Lesser General Public License (LGPL) Version 2.1 or
Lesser General Public License (LGPL) Version 2.0.
A copy of each such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://opensource.org/licenses/gpl-3.0.html and
http://www.opensource.org/licenses/lgpl-2.1.php and
http://www.gnu.org/licenses/old-licenses/library.txt.
Software
BIOS: version 07.57
NXOS: version 7.0(3)I5(1) [build 7.0(3)I5(0.9)]
BIOS compile time: 06/29/2016
NXOS image file is: bootflash:///nxos.7.0.3.I5.0.9.bin
NXOS compile time: 8/1/2016 23:00:00 [08/02/2016 00:30:32]
.
.
.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Firepower 4100 Series Next-Generation Firewall
Firepower 9300 Security Appliance
MDS 9000 Series Multilayer Switches
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 2000 Series Fabric Extenders
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Nexus 9500 R-Series Line Cards and Fabric Modules
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Details
o The affected devices are vulnerable when configured as outlined in the
Vulnerable Products section. The following commands will help identify
these conditions:
To verify the status of a vPC configuration, use the show vpc brief CLI
command:
9K-A# show vpc brief
Legend:
(*) - local vPC is down, forwarding via vPC peer-link
vPC domain id : 10
Peer status : peer adjacency formed ok
vPC keep-alive status : peer is alive
Configuration consistency status : success
Per-vlan consistency status : success
Type-2 inconsistency reason : Consistency Check Not Performed
vPC role : primary
Number of vPCs configured : 1
Peer Gateway : Enabled
Dual-active excluded VLANs : -
Graceful Consistency Check : Enabled
Auto-recovery status : Disabled
Delay-restore status : Timer is off.(timeout = 30s)
Delay-restore SVI status : Timer is off.(timeout = 10s)
vPC Peer-link status
---------------------------------------------------------------------
id Port Status Active vlans
-- ---- ------ --------------------------------------------------
1 Po1 up 1
vPC status
----------------------------------------------------------------------
id Port Status Consistency Reason Active vlans
-- ---- ------ ----------- ------ ------------
10 Po10 up success success 1
To verify the status of the fcoe-npv feature, use the show feature-set CLI
command:
9K-A# show feature-set
Feature Set Name ID State
-------------------- -------- --------
fex 3 uninstalled
mpls 4 uninstalled
fabric 7 uninstalled
fcoe-npv 8 uninstalled
Indicators of Compromise
o If the devices are configured as outlined in the Vulnerable Products
section, a possible indicator of compromise would be a relativity low Rx
input rate, except for the vPC peer link, coupled with a high Tx rate for
all enabled interfaces on the vPC pair of affected Nexus 9000 Series
Switches.
To see interface throughput statistics, use the show interface counter
table CLI command: (egrep -v "0.0 0.0% 0.0 0.0%", excludes interfaces with
zero statistics for Rx and Tx columns)
9K-A# sh int counter table | egrep -v "0.0 0.0% 0.0 0.0%"
Collecting and processing interface statistics ...
------------------------------------------------------------------------
Port Description Intvl Rx Mbps Rx % Tx Mbps Tx %
------------------------------------------------------------------------
Ethernet1/49 vPC_Peer_Link 30/30 36078.7 90.2% 36078.7 90.2%
Ethernet1/50/1 N/A 30/30 2.5 0.0% 9019.6 90.2%
Ethernet1/50/2 N/A 30/30 0.0 0.0% 9019.6 90.2%
port-channel36 N/A 30/30 2.5 0.0% 9019.6 90.2%
port-channel100 vPC_Peer_Link 30/30 36078.7 90.2% 36078.7 90.2%
9K-B# sh int counter table | egrep -v "0.0 0.0% 0.0 0.0%"
Collecting and processing interface statistics ...
-------------------------------------------------------------------------
Port Description Intvl Rx Mbps Rx % Tx Mbps Tx %
-------------------------------------------------------------------------
Ethernet1/49 vPC_Peer_Link 30/30 36078.3 90.2% 36078.3 90.2%
Ethernet1/50/1 N/A 30/30 0.0 0.0% 9019.6 90.2%
port-channel36 N/A 30/30 0.0 0.0% 9019.6 90.2%
port-channel100 vPC_Peer_Link 30/30 36078.3 90.2% 36078.3 90.2%
Another potential indication would be output discards. To check for output
discards, use the show interface counter errors non-zero CLI command:
9K-A# sh int counter errors non-zero
-------------------------------------------------------------------------
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards
-------------------------------------------------------------------------
Eth1/49 0 0 0 0 0 426242
Eth1/50/1 0 0 0 0 0 9916163951
Eth1/50/2 0 0 0 0 0 9934560747
Po36 0 0 0 0 0 9916163951
Po100 0 0 0 0 0 426242
9K-B# sh int counter errors non-zero
-------------------------------------------------------------------------
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards
-------------------------------------------------------------------------
Eth1/50/1 0 0 0 0 0 9915689573
Po36 0 0 0 0 0 9915689573
If there are any questions regarding the output of your device or the
information above, please contact Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in
the applicable table in this section. To help ensure a complete upgrade
solution, customers should consider that this advisory is part of a bundled
publication. The following page provides a complete list of bundle
advisories: Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication .
In the following tables, the left column lists releases of Cisco FXOS
Software or Cisco NX-OS Software. The center column indicates whether a
release is affected by the vulnerability described in this advisory and the
first release that includes the fix for this vulnerability. The right
column indicates whether a release is affected by all the vulnerabilities
described in this bundle and which release includes fixes for those
vulnerabilities.
Although the releases listed in the right column of each table include
fixes for the vulnerabilities, the fix related to the Cisco NX-OS Software
Image Signature Verification Vulnerability requires a BIOS upgrade as part
of the software upgrade. Customers who are upgrading the software for any
of the following products are advised to refer to this advisory for further
details about the BIOS upgrade and affected product IDs and BIOS versions:
Nexus 3000 Series Switches
Nexus 9000 Series Fabric Switches in ACI mode
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Line Cards and Fabric Modules
Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvk44504
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Prior to 7.0 Not vulnerable 7.0(3)I7(6)
(3)I4
7.0(3)I4 Not vulnerable 7.0(3)I7(6)
7.0(3)I5 7.0(3)I7(5) 7.0(3)I7(6)
7.0(3)I6 7.0(3)I7(5) 7.0(3)I7(6)
7.0(3)I7 7.0(3)I7(5) 7.0(3)I7(6)
9.2 9.2(2) 9.2(2)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security
Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190306-nxos-npv-dos
Revision History
o +---------+--------------------------+---------+--------+----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+----------------+
| 1.0 | Initial public release. | - | Final | 2019-March-06 |
+---------+--------------------------+---------+--------+----------------+
===============================================================================
Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode
Shell Escape Vulnerability
Priority: High
Advisory ID: cisco-sa-20190306-aci-shell-escape
First Published: 2019 March 6 16:00 GMT
Last Updated: 2019 March 19 21:08 GMT
Version 1.1: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvm52063
CVE-2019-1591
CWE-264
CVSS Score:
7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in a specific CLI command implementation of Cisco Nexus
9000 Series ACI Mode Switch Software could allow an authenticated, local
attacker to escape a restricted shell on an affected device.
The vulnerability is due to insufficient sanitization of user-supplied
input when issuing a specific CLI command with parameters on an affected
device. An attacker could exploit this vulnerability by authenticating to
the device CLI and issuing certain commands. A successful exploit could
allow the attacker to escape the restricted shell and execute arbitrary
commands with root -level privileges on the affected device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190306-aci-shell-escape
This advisory is part of the March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication, which includes 25 Cisco Security
Advisories that describe 26 vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: March 2019 Cisco
FXOS and NX-OS Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability only affects Cisco Nexus 9000 Series ACI Mode Switches
that are running a release prior to 13.2(4d).
Determining the Cisco NX-OS Software Release
Administrators can determine the release of Cisco NX-OS Software running on
a device by using the show version command in the device CLI. The following
example identifies the 11.2(2) Release:
nxos-n9k-aci# show version
Cisco Nexus Operating System (NX-OS) Software
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php
Software
BIOS: version N/A
kickstart: version 11.2(2) [build 11.2(1.184)]
system: version 11.2(2) [build 11.2(1.184)]
.
.
.
Determining the Cisco Application Policy Infrastructure Controller Software
Release
There is a one-to-one mapping between the software for Cisco Application
Policy Infrastructure Controller (APIC) and Cisco Nexus 9000 Series Fabric
Switches in ACI mode. To determine which Cisco APIC Software release is
running on a device, administrators can disregard the leftmost digit of the
Cisco NX-OS Software version number. In the preceding example, the output
shows Cisco NX-OS Software version 11.2(2) , which maps to Cisco APIC
Software Release 1.2(2) .
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has determined that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series Firewalls
Firepower 4100 Series Next-Generation Firewalls
Firepower 9300 Security Appliance
MDS 9000 Series Multilayer Director Switches
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 2000 Series Fabric Extenders
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Line Cards and Fabric Modules
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
This vulnerability is fixed in Cisco Nexus 9000 Series ACI Mode Switch
Software Releases 13.2(4d) and later.
The recommended action for all Cisco customers running a device with an
affected version is to upgrade to the latest maintenance or latest
long-lived version. Cisco suggests that customers visit the following page
to determine what fixed release to choose: https://www.cisco.com/c/en/us/td
/docs/switches/datacenter/aci/apic/sw/recommended-release/
b_Recommended_Cisco_ACI_Releases.html .
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Cisco would like to thank Nicolas Biscos and Gaetan Ferry from Synacktiv
for reporting this vulnerability.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security
Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190306-aci-shell-escape
Revision History
o +---------+-------------------+------------------+--------+---------------+
| Version | Description | Section | Status | Date |
+---------+-------------------+------------------+--------+---------------+
| | Updated first | Vulnerable | | |
| 1.1 | fixed software | Products, Fixed | Final | 2019-March-19 |
| | release. | Software | | |
+---------+-------------------+------------------+--------+---------------+
| 1.0 | Initial public | - | Final | 2019-March-06 |
| | release. | | | |
+---------+-------------------+------------------+--------+---------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXJG7AGaOgq3Tt24GAQgP6Q//cqzftoaGxQCL97Gzr/b48dGkGBCL4Cq2
0I/M+DeEs1V+dk8YyHxqvvYDAA9BHulIK/nA8Dr5X4BzeM22IcLH4MUzay3tNG38
r/SDwG7zmbxadYaR2qAAJVD/ULYWuVq8BgQWwqjkZuR/fzKvU6eA9FebK/BCIlL3
rxDbCWsowLz2abzn7jfFV4P74NUrTHI4BzJVc9FwS4xhYnidjgodiuqeVSKUrmLZ
uVe086JJkxLC+NrLmRz4Firm8/t3IZg3tgleo+uBu9QZgfF3E5pScYQujk5o1rwV
Lwu7Dj4ZEiKUy4+pp/nMUT6vnZgx+agT2G/HXHKAlXXEKG/NQg6A1D2RjIwVvgdk
WdiPI2MJ7MyNAxfO0Dpj9bhObsqj1FmKYqteYEnzEA4/PswMrYLK8pOIv63k/FME
+snUaUx/vz0D+K8B3oCZWy0GxwFGErhOzGBVgMU0pEfd+IX4OLTKejXaIxQkXU8g
ZpB3Rp8Qi06l3Z7cUqjlLBSPTU35OdzKeXUBQRG8Q8278Sl52Ovkfn6CIAfGZnDP
zWOHF0iSnnPDXWLVOs4zW0GpMXSq5EXYw27sIEa9eELi1xWL+U3pqD5cCqf46pt8
FPmjxu1DIz1oDMyp0VyTiLkGnuZtJr5juNu0SCVf4BwPumukhBnMKvPW3RTHKTsY
qq/iwQykVjc=
=Etsq
-----END PGP SIGNATURE-----