ESB-2017.2630.2 - UPDATE [Cisco] Cisco Systems: Denial of service - Remote/unauthenticated 2017-11-10

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2017.2630.2
  Cisco FXOS and NX-OS System Software Authentication, Authorization, and
                Accounting Denial of Service Vulnerability
                             10 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Firepower Extensible Operating System
                   Cisco NX-OS
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3883  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-aaavty

Revision History:  November 10 2017: Brought up-to-date to Release Version 2.3
                   October  19 2017: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco FXOS and NX-OS System Software Authentication, Authorization, and
Accounting Denial of Service Vulnerability

High
Advisory ID:
cisco-sa-20171018-aaavty

First Published: 2017 October 18 16:00  GMT

Last Updated: 	 2017 November 9 19:37  GMT

Version 2.3:	 Final

Workarounds:     Yes

Cisco Bug IDs:
CSCuq58760
CSCuq71257
CSCur97432
CSCus05214
CSCux54898
CSCvb93995
CSCvc33141
CSCvd36971
CSCve03660
CSCvg41173

CVE-2017-3883
CWE-399

CVSS Score:
Base 8.6[blue-squar]Click Icon to Copy Verbose Score
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the authentication, authorization, and accounting (AAA)
    implementation of Cisco Firepower Extensible Operating System (FXOS) and
    NX-OS System Software could allow an unauthenticated, remote attacker to
    cause an affected device to reload.

    The vulnerability occurs because AAA processes prevent the NX-OS System
    Manager from receiving keepalive messages when an affected device receives
    a high rate of login attempts, such as in a brute-force login attack.
    System memory can run low on the FXOS devices under the same conditions,
    which could cause the AAA process to unexpectedly restart or cause the
    device to reload.

    An attacker could exploit this vulnerability by performing a brute-force
    login attack against a device that is configured with AAA security
    services. A successful exploit could allow the attacker to cause the
    affected device to reload.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    Note: Previous versions of this advisory recommended upgrading the Cisco
    NX-OS Software Release and configuring the login block-for CLI command to
    prevent this vulnerability. Cisco has since become aware that the login
    block-for CLI command may not function as desired in all cases. This does
    not apply to Cisco FXOS. Please refer to the Details section for additional
    information.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20171018-aaavty

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are running
    Cisco FXOS or NX-OS System Software that is configured for AAA services:
      Firepower 4100 Series Next-Generation Firewall
      Firepower 9300 Security Appliance
      Multilayer Director Switches
      Nexus 1000V Series Switches
      Nexus 1100 Series Cloud Services Platforms
      Nexus 2000 Series Switches
      Nexus 3000 Series Switches
      Nexus 3500 Platform Switches
      Nexus 3600 Platform Switches
      Nexus 5000 Series Switches
      Nexus 5500 Platform Switches
      Nexus 5600 Platform Switches
      Nexus 6000 Series Switches
      Nexus 7000 Series Switches
      Nexus 7700 Series Switches
      Nexus 9000 Series Switches in NX-OS mode
      Nexus 9500 R-Series Line Cards and Fabric Modules
      Unified Computing System (UCS) 6100 Series Fabric Interconnects
      UCS 6200 Series Fabric Interconnects
      UCS 6300 Series Fabric Interconnects
    Cisco NX-OS Software

    To determine whether a device that is running Cisco NX-OS System Software
    is configured for AAA, administrators can use the show running-config |
    include aaa command from the Cisco NX-OS CLI and verify that there are aaa
    commands configured on the device. The following example shows sample
    output from a typical NX-OS AAA configuration:

    nx-os-switch# show running-config | include aaa
    aaa group server tacacs+ <group name>
    aaa authentication login default group <group name>
    aaa authentication login console local
    aaa accounting default group <group name>

    To determine whether a device is running a vulnerable release of Cisco
    NX-OS System Software, administrators can use the show version command in
    the Cisco NX-OS CLI. The following example shows the output of that command
    for a device that is running Cisco NX-OS System Software Release 6.2(10):

        nxos-switch# show version

        Cisco Nexus Operating System (NX-OS) Software
        TAC support: http://www.cisco.com/tac
        Documents:
        http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.
        html
        Copyright (c) 2002-2015, Cisco Systems, Inc. All rights reserved.
        The copyrights to certain works contained in this software are
        owned by other third parties and used and distributed under
        license. Certain components of this software are licensed under
        the GNU General Public License (GPL) version 2.0 or the GNU
        Lesser General Public License (LGPL) Version 2.1. A copy of each
        such license is available at
        http://www.opensource.org/licenses/gpl-2.0.php and
        http://www.opensource.org/licenses/lgpl-2.1.php

        Software
          BIOS:      version 2.12.0
          kickstart: version 6.2(10)
          system:    version 6.2(10)
        .
        .
        .

    Cisco FXOS

    In Cisco FXOS, AAA authentication is configured with the scope tacacs,
    scope radius, or scope ldap CLI commands. The presence of these commands in
    the device configuration indicates that the device is vulnerable. For
    additional information about AAA configuration for FXOS-based devices,
    refer to Cisco FXOS CLI Configuration Guide.

    To determine whether a device is running a vulnerable release of Cisco
    FXOS, administrators can use the show version command in the Cisco FXOS
    CLI. The following example shows the output of that command for a device
    that is running Cisco FXOS Release 2.2(1.70) on the Firepower 4100 Series
    Next-Generation Firewall hardware platform:

        fp4100# show version
        FPRM:
            Running-Vers: 4.2(1.65)
            Package-Vers: 2.2(1.70)
            Activate-Status: Ready

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this
    vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:
      Firepower 2100 Series
      Nexus 4000 Series Switches
      Nexus 9000 Series Switches in Application Centric Infrastructure (ACI)
       mode
    Note: The Nexus 4000 Series Switch has entered the end-of-life phase. Refer
    to End-of-Sale and End-of-Life Announcement for the Cisco Nexus 4000 Series
    Switch Modules for IBM BladeCenter for additional information.

Details

  o Cisco NX-OS System Software

    To prevent exploitation of this vulnerability, customers should upgrade to
    a release of Cisco NX-OS System Software that supports secure login
    enhancements and configure login parameters for the software by using the
    login block-for command in the Cisco NX-OS CLI. Customers who cannot
    upgrade to or access a Cisco NX-OS System Software image that supports
    secure login enhancements should implement the workarounds described in
    this advisory.

    The following example shows how to use the login block-for command to
    configure a device to go into quiet mode for 45 seconds if three failed
    interactive attempts are made within 60 seconds:

        login block-for 45 attempts 3 within 60

    The system keyword is needed on the Cisco Nexus 3000 and 9000 Series
    Switches:

        system login block-for 45 attempts 3 within 60

    For more information about configuring login parameters and the login
    block-for command, see the Cisco Nexus 7000 Series NX-OS Security
    Configuration Guide or Cisco Nexus 9000 Series NX-OS Security Configuration
    Guide.

    This vulnerability is prevented only by configuring the login block-for CLI
    command; otherwise, the device remains vulnerable regardless of the
    software release the Cisco NX-OS platform is running.

    Update: The login block-for CLI command may not function as desired on the
    following Cisco NX-OS platforms.
      Nexus 2000 Series Switches
      Nexus 3500 Platform Switches
      Nexus 5000 Series Switches
      Nexus 5500 Platform Switches
      Nexus 5600 Platform Switches
      Nexus 6000 Series Switches
      Nexus 7000 Series Switches
      Nexus 7700 Series Switches
    For these platforms, it is recommended to not configure the login block-for
    CLI command and instead refer to the Workarounds section until fixed
    software becomes available.

    The login block-for command does work as expected on the following Cisco
    NX-OS platforms as of the first fixed release recommended in this advisory:
      Multilayer Director Switches
      Nexus 3000 Series Switches
      Nexus 3600 Platform Switches
      Nexus 9000 Series Switches in NX-OS mode
      Nexus 9500 R-Series Line Cards and Fabric Modules
      Unified Computing System (UCS) 6100 Series Fabric Interconnects
      UCS 6200 Series Fabric Interconnects
      UCS 6300 Series Fabric Interconnects
    Cisco FXOS

    On Cisco FXOS platforms, Firepower 4100 Series Next-Generation Firewall,
    and 9300 Security Appliance, the DoS condition was prevented by adding an
    internal throttling mechanism for the remote brute-force attack condition.
    This mechanism does not require users to configure it.

Indicators of Compromise

  o On both Cisco FXOS and NX-OS System Software, the AAA-related processes
    could restart and generate a core file. This indicator will be accompanied
    by many failed login attempts, indicating that a brute-force attack may be
    underway. Contact the Cisco Technical Assistance Center (TAC) to review any
    AAA-related core and system log files to determine whether the device has
    been compromised by exploitation of this vulnerability.

Workarounds

  o Cisco NX-OS System Software

    Configuring a vty Access Class

    On some platforms that are running Cisco NX-OS System Software, it is
    possible to limit exposure of an affected device by creating a vty
    access-control list (ACL) on the device and configuring the ACL to permit
    only known, trusted devices to connect to the device via Telnet and Secure
    Shell (SSH).

    Note:
     1. This workaround is not available on some platforms that are running
        Cisco NX-OS, and should be used only where applicable.
     2. There is no Cisco UCS workaround that addresses this vulnerability.
     3. The ACL in this example is for IPv4. This vulnerability can also be
        exploited against IPv6 interfaces. If the NX-OS device is configured
        for IPv6, the same ACL should be configured for the IPv6 address range.
    The following example shows an ACL that permits access to vtys from the
    192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying
    access from all other addresses:

        ip access-list vtyacl
          10 permit tcp 192.168.1.0/24 172.16.1.2/32

        line vty
          access-class vtyacl in

    For more information about restricting traffic to vtys, see the Cisco Nexus
    7000 Series NX-OS Security Configuration Guide. It is considered a best
    practice for an NX-OS device to have a vty ACL configured. Refer to Cisco
    Guide to Securing Cisco NX-OS Software Devices for additional information
    about hardening Cisco NX-OS devices.

    Cisco FXOS

    On Cisco FXOS platforms, it is possible to limit the exposure of an
    affected device by using the ip-block command to permit only known, trusted
    hosts to connect to the device via SSH. The following example show only a
    subset of IPv4 and IPv6 hosts being permitted to connect via SSH.

    scope system
      scope services
        create ip-block 11.1.1.1 24 ssh
        create ipv6-block 2014::10:76:78:107 64 ssh
        commit-buffer

    For more information about configuring Cisco FXOS IP Access Lists see the
    "Configure the IP Access List" section of the Cisco FXOS CLI Configuration
    Guide.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: http://www.cisco.com/c/en/us/td/docs/general/warranty/
    English/EU1KEN_.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: http://www.cisco.com/en
    /US/support/tsd_cisco_worldwide_contacts.html.

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers should upgrade to an appropriate release as indicated in the
    following Cisco product tables. Please note that on the Cisco NX-OS
    platforms, this vulnerability can still be exploited unless the CLI command
    login block-for is configured. The login block-for command should be
    configured only on the NX-OS platforms that have fixed software available
    in the following tables.

    Firepower 4100 Series Next-Generation Firewall: CSCve03660

    +-----------------------------------------+---------------------------+
    | Cisco FXOS Major Release - Firepower    | First Fixed Release       |
    | 4100                                    |                           |
    +-----------------------------------------+---------------------------+
    | Prior to 2.3                            | Affected; migrate to      |
    |                                         | 2.3.1                     |
    +-----------------------------------------+---------------------------+
    | 2.3                                     | 2.3.1 (future release)    |
    +-----------------------------------------+---------------------------+

    Firepower 9300 Security Appliance: CSCve03660

    +-----------------------------------------+---------------------------+
    | Cisco FXOS Major Release - Firepower    | First Fixed Release       |
    | 9300                                    |                           |
    +-----------------------------------------+---------------------------+
    | Prior to 2.3                            | Affected; migrate to      |
    |                                         | 2.3.1                     |
    +-----------------------------------------+---------------------------+
    | 2.3                                     | 2.3.1 (future release)    |
    +-----------------------------------------+---------------------------+

    MDS 9000 Series Multilayer Director Switches: CSCvc33141

    +---------------------------+-----------------------------------------+
    | Cisco NX-OS Software      | First Fixed Release                     |
    | Major Release - MDS       |                                         |
    +---------------------------+-----------------------------------------+
    | 5.2                       | Affected; migrate to 7.3(1)DY(1)        |
    +---------------------------+-----------------------------------------+
    | 6.2                       | Affected; migrate to 7.3(1)DY(1)        |
    +---------------------------+-----------------------------------------+
    | 6.3                       | Affected; migrate to 7.3(1)DY(1)        |
    +---------------------------+-----------------------------------------+
    | 7.3                       | 7.3(1)DY(1)                             |
    +---------------------------+-----------------------------------------+
    | 8.1                       | Not vulnerable when the login block-for |
    |                           | command is configured.                  |
    +---------------------------+-----------------------------------------+
    | 8.2                       | Not vulnerable when the login block-for |
    |                           | command is configured.                  |
    +---------------------------+-----------------------------------------+

    Nexus 1000V Series Switches and Nexus 1100 Series Cloud Services Platforms:
    CSCux54898

    +--------------------------------------------------------+------------+
    | Cisco NX-OS Software Major Release - Nexus 1000V       | First      |
    | Series Switches and Nexus 1100 Series Cloud Services   | Fixed      |
    | Platforms                                              | Release    |
    +--------------------------------------------------------+------------+
    | Prior to 4.2                                           | No fix     |
    |                                                        | available  |
    +--------------------------------------------------------+------------+
    | 5.2                                                    | No fix     |
    |                                                        | available  |
    +--------------------------------------------------------+------------+

    Nexus 3000 Series Switches: CSCus05214 and CSCvb93995
     
    +-----------------------------------------+---------------------------+
    | Cisco NX-OS Software Major Release -    | First Fixed Release       |
    | Nexus 3000 Series Switches              |                           |
    +-----------------------------------------+---------------------------+
    | Prior to 6.0                            | Affected; migrate to 7.0  |
    |                                         | (3)I6(1) or later         |
    +-----------------------------------------+---------------------------+
    | 6.0                                     | 7.0(3)I6(1) or later      |
    +-----------------------------------------+---------------------------+
    | 7.0                                     | 7.0(3)I6(1) or later      |
    +-----------------------------------------+---------------------------+

    Nexus 3500 Platform Switches: CSCus05214 and CSCvb93995

    +-----------------------------------------+---------------------------+
    | Cisco NX-OS Software Major Release -    | First Fixed Release       |
    | Nexus 3500 Platform Switches            |                           |
    +-----------------------------------------+---------------------------+
    | Prior to 6.0                            | Affected; migrate to 6.0  |
    |                                         | (2)A8(8) or later         |
    +-----------------------------------------+---------------------------+
    | 6.0                                     | 6.0(2)A8(8) [Target       |
    |                                         | November 2017]            |
    +-----------------------------------------+---------------------------+

    Nexus 2000, 5000, 5500, 5600, and 6000 Series Switches: CSCuq71257 and 
    CSCvg41173

    +---------------------------------------------------+-----------------+
    | Cisco NX-OS Software Major Release - Nexus 5000   | First Fixed     |
    | Series Switches                                   | Release         |
    +---------------------------------------------------+-----------------+
    | Prior to 5.2                                      | No fix          |
    |                                                   | available       |
    +---------------------------------------------------+-----------------+
    | 5.2                                               | No fix          |
    |                                                   | available       |
    +---------------------------------------------------+-----------------+

    +------------------------------------------------+--------------------+
    | Cisco NX-OS Software Major Release - Nexus     | First Fixed        |
    | 2000, 5500, 5600, and 6000 Series Switches     | Release            |
    +------------------------------------------------+--------------------+
    | Prior to 5.2                                   | Affected; migrate  |
    |                                                | to 7.3(3)N1(1)     |
    +------------------------------------------------+--------------------+
    | 5.2                                            | Affected; migrate  |
    |                                                | to 7.3(3)N1(1)     |
    +------------------------------------------------+--------------------+
    | 6.0                                            | Affected; migrate  |
    |                                                | to 7.3(3)N1(1)     |
    +------------------------------------------------+--------------------+
    | 7.0                                            | Affected; migrate  |
    |                                                | to 7.3(3)N1(1)     |
    +------------------------------------------------+--------------------+
    | 7.1                                            | Affected; migrate  |
    |                                                | to 7.3(3)N1(1)     |
    +------------------------------------------------+--------------------+
    | 7.2                                            | Affected; migrate  |
    |                                                | to 7.3(3)N1(1)     |
    +------------------------------------------------+--------------------+
    |                                                | 7.3(3)N1(1)        |
    | 7.3                                            | [Target April      |
    |                                                | 2018]              |
    +------------------------------------------------+--------------------+

    Nexus 7000 and 7700 Series Switches:  CSCuq58760 and CSCvb93995

    +-----------------------------------+---------------------------------+
    | Cisco NX-OS Software Major        | First Fixed Release             |
    | Release - Nexus 7000 and 7700     |                                 |
    | Series Switches                   |                                 |
    +-----------------------------------+---------------------------------+
    | Prior to 5.2                      | Affected; migrate to 6.2(20)    |
    |                                   | or 7.3(2)D1(2)                  |
    +-----------------------------------+---------------------------------+
    | 5.2                               | Affected; migrate to 6.2(20)    |
    |                                   | or 7.3(2)D1(2)                  |
    +-----------------------------------+---------------------------------+
    | 6.0                               | Affected; migrate to 6.2(20)    |
    |                                   | or 7.3(2)D1(2)                  |
    +-----------------------------------+---------------------------------+
    | 6.1                               | Affected; migrate to 6.2(20)    |
    |                                   | or 7.3(2)D1(2)                  |
    +-----------------------------------+---------------------------------+
    | 6.2                               | 6.2(20) [Target November 2017]  |
    +-----------------------------------+---------------------------------+
    |                                   | Affected; migrate to 7.2(3)D1   |
    | 7.2                               | (1) [Target March 2018] or 7.3  |
    |                                   | (2)D1(2)                        |
    +-----------------------------------+---------------------------------+
    | 7.3                               | 7.3(2)D1(2) [Target November    |
    |                                   | 2017]                           |
    +-----------------------------------+---------------------------------+
    | 8.0                               | 8.0(2) [Target March 2018]      |
    +-----------------------------------+---------------------------------+
    | 8.1                               | 8.1(2) [Target January 2018]    |
    +-----------------------------------+---------------------------------+
    | 8.2                               | 8.2(2) [Target April 2018]      |
    +-----------------------------------+---------------------------------+


    Nexus 9000 Series Switches: CSCuq58760 and CSCvb93995

    +-----------------------------------------+---------------------------+
    | Cisco NX-OS Software Major Release -    | First Fixed Release       |
    | Nexus 9000 Series Switches              |                           |
    +-----------------------------------------+---------------------------+
    | 6.1                                     | Affected; migrate to 7.0  |
    |                                         | (3)I6(1) or later         |
    +-----------------------------------------+---------------------------+
    | 7.0                                     | 7.0(3)I6(1) or later      |
    +-----------------------------------------+---------------------------+

    Nexus 9500 R-Series Line Cards and Fabric Modules and Nexus 3600 Platform
    Switches: CSCuq58760

    +------------------------------------------------------+--------------+
    | Cisco NX-OS Software Major Release - Nexus 9500      | First Fixed  |
    | R-Series and Nexus 3600 Platform Switches            | Release      |
    +------------------------------------------------------+--------------+
    | 7.0                                                  | 7.0(3)F3(1)  |
    |                                                      | or later     |
    +------------------------------------------------------+--------------+

    UCS 6100, 6200, and 6300 Fabric Interconnects: CSCur97432^1

    +---------------------------+-----------------------------------------+
    | Cisco NX-OS Software      | First Fixed Release                     |
    | Major Release - UCS       |                                         |
    +---------------------------+-----------------------------------------+
    | Prior to 2.2              | Affected; migrate to 2.2(6c) or later   |
    +---------------------------+-----------------------------------------+
    | 2.2                       | 2.2(6c) or later                        |
    +---------------------------+-----------------------------------------+
    | 2.5                       | Not vulnerable when the login block-for |
    |                           | command is configured.                  |
    +---------------------------+-----------------------------------------+
    | 3.0                       | Affected; migrate to 3.1(2b) or later   |
    +---------------------------+-----------------------------------------+
    | 3.1                       | 3.1(2b) or later                        |
    +---------------------------+-----------------------------------------+
    | 3.2                       | Not vulnerable when the login block-for |
    |                           | command is configured.                  |
    +---------------------------+-----------------------------------------+

    ^1The fix for Cisco bug ID CSCur97432 for Cisco UCS 6100, 6200, and 6300
    Fabric Interconnects implemented the login block-for command. This fix was
    found to be incomplete, and brute-force attacks that occur over many hours
    could still cause a device to reset. Cisco bug ID CSCvd36971 tracks this
    remaining vulnerability, and the full fix is targeted for future software
    release 3.2(3).

    Cisco NX-OS Release Recommendations

    For additional assistance in determining the best Cisco NX-OS System
    Software release for a Cisco Nexus Switch, refer to the recommended release
    document for the switch:
      Cisco Multilayer Director Switches
      Cisco Nexus 1000V for VMware Switches
      Cisco Nexus 3000 Series and 3500 Series Switches
      Cisco Nexus 5000 Series Switches
      Cisco Nexus 5500 Platform Switches
      Cisco Nexus 6000 Series Switches
      Cisco Nexus 7000 Series Switches
      Cisco Nexus 9000 Series Switches
    To determine the best Cisco NX-OS System Software release for Cisco UCS,
    refer to the Recommended Releases documents in the release notes for the
    device.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during resolution of a Cisco TAC support case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20171018-aaavty

Revision History

  o 
    +---------+------------------------+--------------+--------+------------------+
    | Version |      Description       |   Section    | Status |       Date       |
    +---------+------------------------+--------------+--------+------------------+
    |         | Added the 3600         |              |        |                  |
    |         | platform to vulnerable | Affected     |        |                  |
    |         | products. Added target | Products,    |        |                  |
    | 2.3     | dates for some         | Details, and | Final  | 2017-November-09 |
    |         | platforms that do not  | Fixed        |        |                  |
    |         | have current code      | Software     |        |                  |
    |         | fixes.                 |              |        |                  |
    +---------+------------------------+--------------+--------+------------------+
    |         | Clarified further that |              |        |                  |
    | 2.2     | the login block-for    | Fixed        | Final  | 2017-November-03 |
    |         | command is required to | Software     |        |                  |
    |         | not be vulnerable.     |              |        |                  |
    +---------+------------------------+--------------+--------+------------------+
    |         | Added fixed software   |              |        |                  |
    |         | for N3K and N9K.       | Details and  |        |                  |
    | 2.1     | Removed the fixed      | Fixed        | Final  | 2017-November-01 |
    |         | release tables for     | Software     |        |                  |
    |         | platforms without      |              |        |                  |
    |         | fixes.                 |              |        |                  |
    +---------+------------------------+--------------+--------+------------------+
    |         | Added information      | Summary,     |        |                  |
    |         | about new bugs to      | Details, and |        |                  |
    | 2.0     | track fixes to the     | Fixed        | Final  | 2017-October-27  |
    |         | login block-for        | Software     |        |                  |
    |         | command.               |              |        |                  |
    +---------+------------------------+--------------+--------+------------------+
    |         | Added information      |              |        |                  |
    |         | about the use of the   | Details,     |        |                  |
    |         | CLI command to prevent | Workarounds, |        |                  |
    | 1.1     | the device from being  | and Fixed    | Final  | 2017-October-18  |
    |         | vulnerable. Added a    | Software     |        |                  |
    |         | workaround for Cisco   |              |        |                  |
    |         | FXOS.                  |              |        |                  |
    +---------+------------------------+--------------+--------+------------------+
    | 1.0     | Initial public         | --           | Final  | 2017-October-18  |
    |         | release.               |              |        |                  |
    +---------+------------------------+--------------+--------+------------------+

Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWgUwIYx+lLeg9Ub1AQhebg//WlBAoEWUIWeprddSaOYYIqx7j4Q2TNIe
MwML/oBVpLd7mRrZr/qGmG19JCDbkgVpmsiY7ifteHlRnEHlDUfKTl7AJL9gbFnP
y1CeqT4i/YeBQudFMefl1NVB9XPxBp2PONQ4lyMwFwk6lqF52ipLLX01zd29nzth
oBSMUXk6FkPVE0BGOaVoBpZyXZfgq07GNLhp+WLBDfDYEtwBPuu7ugWzJFLdzHop
143KdyoFR3hDujpRNwB3UDVA9JhjUSXJXepO3XKQ1tm20dey2CiPHVRjDwGawMBB
gbI3cFBCsuZY9VXQbqTbRE64fGuMj+BTX2oVhDxeAXmmS3iOY/8q/gFEb+wACISI
d6ELtRgMrLSNU5LeCcb0q0Op4gswzHgAqn80sevsA9MYHvhrNj4fgWdEQooAlFXv
Z1K9E2X0esLMJ5TFA2lDIJYGPbembDSVKgIbP6yhP+H8IYFuKFU/JCcv2ICna9AS
2CaXY2mb+idrgXyhg3ZtW0jj5EvquA65AKKSkQDFZYj9WY5tSIU+D/ulvwcIncza
5a6v1l9pBbbrBJqpDXyaFC1b9DoCg+YKEUeChK1aJoOWtlvKOwYCtYoqA2KGeMTB
9UJKlKQNz8nsDLpLCkzF/ps4qBGmK+R51kFPa9sA32xv4U02FoURWJ9EYPmwTFck
vAqOW8hfKx4=
=3fAR
-----END PGP SIGNATURE-----

« Back to bulletins