ESB-2018.0193.2 - UPDATE [Cisco] Cisco NX-OS Software: Multiple vulnerabilities 2018-01-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.0193.2
   Multiple vulnerabilities have been identified in Cisco NX-OS Software
                              22 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco NX-OS Software
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0102 CVE-2018-0092 CVE-2018-0090

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os

Comment: This bulletin contains three (3) Cisco Systems security advisories.

Revision History:  January 22 2018: Nexus 9000 Series Switches in standalone NX-OS mode moved 
                                    from vulnerable to not vulnerable product list.
                   January 18 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Security Advisory

Cisco NX-OS System Software Unauthorized User Account Deletion Vulnerability

Medium

Advisory ID: cisco-sa-20180117-nxos1

First Published: 2018 January 17 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds available

Cisco Bug IDs:

CSCvg21120

CVSS Score:

Base 6.1

Base 6.1 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L/E:X/RL:X/RC:X

CVE-2018-0092

CWE-264

Summary

A vulnerability in the network-operator user role implementation for Cisco 
NX-OS System Software could allow an authenticated, local attacker to 
improperly delete valid user accounts. The network-operator role should not be
able to delete other configured users on the device.

The vulnerability is due to a lack of proper role-based access control (RBAC)
checks for the actions that a user with the network-operator role is allowed 
to perform. An attacker could exploit this vulnerability by authenticating to
the device with user credentials that give that user the network-operator 
role. Successful exploitation could allow the attacker to impact the integrity
of the device by deleting configured user credentials. The attacker would need
valid user credentials for the device.

There are no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1

Affected Products

Vulnerable Products

This vulnerability affects the following Cisco products running Cisco NX-OS 
System Software:

Nexus 3000 Series Switches

Nexus 3600 Platform Switches

Nexus 9000 Series Switches in standalone NX-OS mode

Nexus 9500 R-Series Line Cards and Fabric Modules

For information about affected software releases, consult the Cisco bug ID(s)
at the top of this advisory.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this 
vulnerability.

The following Cisco products are not affected by this vulnerability:

Firepower 2100 Series

Firepower 4100 Series Next-Generation Firewall

Firepower 9300 Security Appliance

Multilayer Director Switches

Nexus 1000V Series Switches

Nexus 1100 Series Cloud Services Platforms

Nexus 2000 Series Switches

Nexus 3500 Platform Switches

Nexus 5500 Platform Switches

Nexus 5600 Platform Switches

Nexus 6000 Series Switches

Nexus 7000 Series Switches

Nexus 7700 Series Switches

Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI)
mode

Unified Computing System (UCS) 6100 Series Fabric Interconnects

UCS 6200 Series Fabric Interconnects

UCS 6300 Series Fabric Interconnects

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

For information about fixed software releases, consult the Cisco bug ID(s) at
the top of this advisory.

When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade 
solution.

In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described 
in this advisory.

Source

This vulnerability was found during resolution of a Cisco TAC support case.

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nxos1

Revision History

    +---------+-------------------------+--------------+--------+-----------------+
    | Version |       Description       |   Section    | Status |      Date       |
    +---------+-------------------------+--------------+--------+-----------------+
    | 1.0     | Initial public release. | --            | Final  | 2018-January-17|
    +---------+-------------------------+--------------+--------+-----------------+

LEGAL DISCLAIMER

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF 
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO 
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the 
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end 
users of Cisco products.

- ---

Cisco Security Advisory

Cisco NX-OS System Software Management Interface Denial of Service
Vulnerability

Medium
Advisory ID:
cisco-sa-20180117-nxos
First Published:
2018 January 17 16:00 GMT
Last Updated:
2018 January 19 21:29 GMT
Version 1.1:
Final
Workarounds:
No workarounds available
Cisco Bug IDs:
CSCvf31132
CVE-2018-0090
CWE-20
CVSS Score:
Base 5.3[blue-squar]Click Icon to Copy Verbose Score
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X
CVE-2018-0090
CWE-20


Summary

  o A vulnerability in management interface access control list (ACL)
    configuration of Cisco NX-OS System Software could allow an
    unauthenticated, remote attacker to bypass configured ACLs on the
    management interface. This could allow traffic to be forwarded to the NX-OS
    CPU for processing, leading to high CPU utilization and a denial of service
    (DoS) condition.

    The vulnerability is due to a bad code fix in the 7.3.2 code train that
    could allow traffic to the management interface to be misclassified and not
    match the proper configured ACLs. An attacker could exploit this
    vulnerability by sending crafted traffic to the management interface. An
    exploit could allow the attacker to bypass the configured management
    interface ACLs and impact the CPU of the targeted device, resulting in a
    DoS condition.

    There are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180117-nxos

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products running Cisco NX-OS
    System Software:
       Multilayer Director Switches
       Nexus 2000 Series Switches
       Nexus 3000 Series Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
    For information about affected software releases, consult the Cisco bug ID
    (s) at the top of this advisory.

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this
    vulnerability.

    The following Cisco products are not affected by this vulnerability:
       Firepower 2100 Series
       Firepower 4100 Series Next-Generation Firewall
       Firepower 9300 Security Appliance
       Nexus 1000V Series Switches
       Nexus 1100 Series Cloud Services Platforms
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode
       Nexus 9500 R-Series Line Cards and Fabric Modules
       Unified Computing System (UCS) 6100 Series Fabric Interconnects
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o For information about fixed software releases, consult the Cisco bug ID(s)
    at the top of this advisory.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during resolution of a Cisco TAC support case.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20180117-nxos

Revision History

  o
    +---------+-------------------------+--------------+--------+-----------------+
    | Version |       Description       |   Section    | Status |      Date       |
    +---------+-------------------------+--------------+--------+-----------------+
    |         | Nexus 9000 Series       | Vulnerable   |        |                 |
    |         | Switches in standalone  | Products,    |        |                 |
    | 1.1     | NX-OS mode moved from   | Products     | Final  | 2018-January-19 |
    |         | vulnerable to not       | Confirmed    |        |                 |
    |         | vulnerable product      | Not          |        |                 |
    |         | list.                   | Vulnerable   |        |                 |
    +---------+-------------------------+--------------+--------+-----------------+
    | 1.0     | Initial public release. | --            | Final  | 2018-January-17 |
    +---------+-------------------------+--------------+--------+-----------------+
Show Less



Legal Disclaimer

  o THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
    OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR
    FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT
    OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES
    THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A standalone copy or paraphrase of the text of this document that omits the
    distribution URL is an uncontrolled copy and may lack important information
    or contain factual errors. The information in this document is intended for
    end users of Cisco products.

- ---

isco Security Advisory

Cisco NX-OS Software Pong Packet Denial of Service Vulnerability

High

Advisory ID: cisco-sa-20180117-nx-os

First Published: 2018 January 17 16:00 GMT

Version 1.0: Final

Workarounds: No workarounds available

Cisco Bug IDs:

CSCuv98660

CVSS Score:

Base 7.4

Base 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

CVE-2018-0102

CWE-399

Summary

A vulnerability in the Pong tool of Cisco NX-OS Software could allow an 
unauthenticated, adjacent attacker to cause a reload of an affected device, 
resulting in a denial of service (DoS) condition.

The vulnerability exists because the affected software attempts to free the 
same area of memory twice. An attacker could exploit this vulnerability by 
sending a pong request to an affected device from a location on the network 
that causes the pong reply packet to egress both a FabricPath port and a 
non-FabricPath port. An exploit could allow the attacker to cause a dual or 
quad supervisor virtual port-channel (vPC) to reload.

Note: This vulnerability is exploitable only when all of the following are 
true:

The Pong tool is enabled on an affected device. The Pong tool is disabled in 
NX-OS by default.

The FabricPath feature is enabled on an affected device. The FabricPath 
feature is disabled in NX-OS by default.

A FabricPath port is actively monitored via a Switched Port Analyzer (SPAN) 
session. SPAN sessions are not configured or enabled in NX-OS by default.

Cisco has released software updates that address this vulnerability. There are
no workarounds that address this vulnerability.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os

Affected Products

Vulnerable Products

This vulnerability affects the following products when running Cisco NX-OS 
Software Release 7.2(1)D(1), 7.2(2)D1(1), or 7.2(2)D1(2) with both the Pong 
and FabricPath features enabled and the FabricPath port is actively monitored
via a SPAN session:

Cisco Nexus 7000 Series Switches

Cisco Nexus 7700 Series Switches

To determine whether a device is running a vulnerable release of Cisco NX-OS 
Software, administrators can use the show version command in the NX-OS 
command-line interface (CLI).

The following example shows the output of the show version command for a Cisco
Nexus 7000 Series Switch running Cisco NX-OS Software Release 7.2(2)D1(2):

Nexus# show version

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

Documents: 
http://www.cisco.com/en/US/products/ps9372/tsd_products_support_series_home.html

Copyright (c) 2002-2016, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

Software

  BIOS: version 2.12.0

  kickstart: version 7.2(2)D1(2)

  system: version 7.2(2)D1(2) 

To determine whether a device has the Pong tool enabled, administrators can 
use the show running-config | include "feature pong" command in the NX-OS CLI.
The following example shows the output of this command for a Cisco Nexus 7000
Series Switch that has the Pong tool enabled (if this command returns empty 
output the Pong tool is not enabled):

Nexus# show running-config | include "feature pong"

feature pong

To determine whether a device has the FabricPath feature enabled, 
administrators can use the show running-config | include "feature-set 
fabricpath" command in the NX-OS CLI. The following example shows the output 
of this command for a Cisco Nexus 7000 Series Switch that has the FabricPath 
feature enabled (if this command returns empty output, the FabricPath feature
is not enabled):

Nexus# show running-config | include "feature-set fabricpath"

feature-set fabricpath

To determine whether a device has a SPAN session configured, administrators 
can use the show running-config monitor command in NX-OS CLI. The following 
example shows the output of this command for a Cisco Nexus 7000 Series Switch
that has a SPAN session monitoring interface Ethernet 1/10 configured and 
enabled (if this command returns empty output, no SPAN session is configured):

Nexus# show running-config monitor

!Command: show running-config monitor

!Time: Mon Oct 9 12:04:52 2017

version 7.2(2)D1(2)

monitor session 1

  source interface Ethernet1/10 both

  destination interface Ethernet1/12 no shut

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by this 
vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco NX-OS 
Software Releases 7.2(0)D1(1) and earlier.

Cisco has confirmed that this vulnerability does not affect Cisco Multilayer 
Director Switches as the affected NX-OS releases are not available for this 
platform.

Details

The Pong tool utilizes synchronized clocks on the network to measure real-time
latency. Latency is the delay of the network between any two points as seen by
a frame traveling between the two points. Pong measures port-to-port delays 
and is similar to the network-monitoring utility Ping but provides for a 
greater depth of network diagnostics.

Indicators of Compromise

Exploitation of this vulnerability will cause an affected device to reload and
generate a pong core file. Contact the Cisco Technical Assistance Center (TAC)
to review the core file and determine whether the device has been compromised
by exploitation of this vulnerability.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Cisco has released free software updates that address the vulnerability 
described in this advisory. Customers may only install and expect support for
software versions and feature sets for which they have purchased a license. By
installing, downloading, accessing, or otherwise using such software upgrades,
customers agree to follow the terms of the Cisco software license:

https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a valid
license, procured from Cisco directly, or through a Cisco authorized reseller
or partner. In most cases this will be a maintenance upgrade to software that
was previously purchased. Free security software updates do not entitle 
customers to a new software license, additional software feature sets, or 
major revision upgrades.

When considering software upgrades, customers are advised to regularly consult
the advisories for Cisco products, which are available from the Cisco Security
Advisories and Alerts page, to determine exposure and a complete upgrade 
solution.

In all cases, customers should ensure that the devices to be upgraded contain
sufficient memory and confirm that current hardware and software 
configurations will continue to be supported properly by the new release. If 
the information is not clear, customers are advised to contact the Cisco 
Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service 
contract and customers who make purchases through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale should 
obtain upgrades by contacting the Cisco TAC:

https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to 
provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

This vulnerability is fixed in Cisco NX-OS Software Releases 7.3(0)D1(1) and 
later.

The software can be downloaded from the Software Center on Cisco.com by 
navigating to Products > Switches > Data Center Switches > Nexus 7000 Series 
Switches.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any
public announcements or malicious use of the vulnerability that is described 
in this advisory.

Source

This vulnerability was found during the resolution of a Cisco TAC support 
case.

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180117-nx-os

    +---------+-------------------------+--------------+--------+-----------------+
    | Version |       Description       |   Section    | Status |      Date       |
    +---------+-------------------------+--------------+--------+-----------------+
    | 1.0     | Initial public release. | --            | Final  | 2018-January-17|
    +---------+-------------------------+--------------+--------+-----------------+


LEGAL DISCLAIMER

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF 
GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS
LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO 
CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the 
distribution URL is an uncontrolled copy and may lack important information or
contain factual errors. The information in this document is intended for end 
users of Cisco products.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmU1bIx+lLeg9Ub1AQgjKA//ZTfuoMrLRTemQm/6JtFeV9+d8Hq9wfMK
U3Blo7uUgzn/kzGGY1jrSnLsC/06LfTKcx8Yn5yYO7kG5WY9u46cujzvDlJh3lGi
mR+tHP4Yx7iGGGMz/YTGWmk+KlEUg34+xa2oOg8ph+7ZkLhpONbfJiwN6Is6hzbJ
1QlmuZAlRHhoPe2rqECax/Swkv1YkOOfIzEHp3MA+eMlk3PZXPnZNUqgJVKUKfxg
xK9ffEG1wZpZIEQRvO9DZu60HEkRL7PCLB22Eh9iuUicZ/0xWRoXU86gDo43y+Vh
Dbas9lpPzObopInaB5eW5PYYwPe7b/0OheCBVLrtbn0s788gBow9IIwaGrwdSw06
o6X20IusDm8A9d/+tMlYz6j1H27/oHY5C3ev4cQ+lAcSd/+r0TKz5s1XhJJPlO3O
3EXEyPBjymSl5dAw7LHBuAiHhx86uR56bYqV/PB/ZOve8ZRXSXxzCxF9aYBf2AqL
WrD62BhdyukkeRxybtxGcTveRXZCfdDXW73P+hs8DH2lH98q4hEUAZ3WRp+zphDQ
jjHdH4s5QcuRVoWmzkUyiSC4wSuBxLuxEV5tcdN+Jv3ShsLigYaB/QTXMlHs1Yw+
Gji1DvuNWFRTeFGvgDVphWpWWOKi668VJelDgHVPa2/Tm/wpDs0fLEZAfGcwbvhh
CAIiYsM3yyk=
=ydo3
-----END PGP SIGNATURE-----

« Back to bulletins