Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

       Cisco NX-OS Software Authenticated Simple Network Management
                 Protocol Denial of Service Vulnerability
                              18 October 2018


        AusCERT Security Bulletin Summary

Product:           Cisco NX-OS Software
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0456  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco NX-OS Software Authenticated Simple Network Management Protocol Denial of
Service Vulnerability

Priority:        High

Advisory ID:     cisco-sa-20181017-nxos-snmp

First Published: 2018 October 17 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvj70029



CVSS Score:


  o A vulnerability in the Simple Network Management Protocol (SNMP) input
    packet processor of Cisco NX-OS Software could allow an authenticated,
    remote attacker to cause the SNMP application of an affected device to
    restart unexpectedly.

    The vulnerability is due to improper validation of SNMP protocol data
    units (PDUs) in SNMP packets. An attacker could exploit this vulnerability
    by sending a crafted SNMP packet to an affected device. A successful
    exploit could allow the attacker to cause the SNMP application to restart
    multiple times, leading to a system-level restart and a denial of service
    (DoS) condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are
    running a vulnerable release of Cisco NX-OS Software:

       Nexus 3000 Series Switches
       Nexus 3600 Platform Switches
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Line Cards and Fabric Modules

    The only vulnerable software release for Nexus 3000 Series Switches and
    for Nexus 9000 Series Switches in standalone NX-OS mode is 7.0(3)I7(3).

    The only vulnerable software release for Nexus 3600 Platform Switches and
    Nexus 9500 R-Series Line Cards and Fabric Modules is 7.0(3)F3(4).

    Refer to the Fixed Software section of this security advisory for more
    information about affected releases.

    Determining the Status of SNMP

    Administrators can determine whether SNMP is running on a device by using
    the show running-config snmp command in the device CLI. If the command
    returns output, SNMP is configured.

        nxos-switch# show running-config snmp
        snmp-server user admin network-admin auth md5 ***** priv ***** localizedkey
        snmp-server community community-string group network-admin

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Firepower 2100 Series
       Firepower 4100 Series Next-Generation Firewall
       Firepower 9300 Security Appliance
       MDS 9000 Series Multilayer Switches
       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 2000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
       Nexus 9000 Series Fabric Switches in Application Centric
        Infrastructure (ACI) mode
       Unified Computing System (UCS) 6100 Series Fabric Interconnects
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects
       UCS 6400 Series Fabric Interconnects


  o SNMP is an application-layer protocol that provides a standardized
    framework and a common language for monitoring and managing devices in a
    network. It defines a message format for communication between SNMP
    managers and agents.

    An SNMP agent gathers data from the SNMP MIB, which is the repository of
    information about device parameters and network data. It also responds to
    requests from an SNMP manager to get or set data. An SNMP agent contains
    MIB variables for which values can be requested or changed by an SNMP
    manager by using get or set operations.

    This vulnerability affects all versions of SNMP supported on the
    device--Versions 1, 2c, and 3. An attacker could exploit this vulnerability
    by sending a specific SNMP packet to an affected device via IPv4 or IPv6.
    Only traffic directed to the affected system can be used to exploit this

    To exploit this vulnerability via SNMP Version 2c or earlier, the attacker
    must know the SNMP read-only community string for the affected system. A
    community string is a password that is applied to a device to restrict
    both read-only and read-write access to the SNMP data on the device. These
    community strings, as with all passwords, should be chosen carefully to
    ensure that they are not trivial. They should also be changed at regular
    intervals and in accordance with network security policies. For example,
    the strings should be changed when a network administrator changes roles
    or leaves the organization.

    To exploit this vulnerability via SNMP Version 3, the attacker must have
    user credentials for the affected system.


  o There are no workarounds that address this vulnerability.

    As a mitigation for the vulnerability that is described in this advisory,
    administrators can configure an access control list (ACL) on an SNMP
    community. This ACL will filter incoming SNMP requests to ensure that SNMP
    polling is performed only by trusted SNMP clients. In the following
    example, the device will accept incoming SNMP requests only from the
    trusted hosts and

        switch# show access-list acl_for_snmp
        IPV4 ACL acl_for_snmp
          10 permit udp eq snmp

    To implement the preceding ACL, administrators can add it to the
    snmp-server community configuration command:

        switch# show running-config snmp
        snmp-server community mycompany
         use-acl acl_for_snmp

    For additional information about configuring ACLs to filter incoming SNMP
    requests, see Filtering SNMP Requests in the Cisco NX-OS configuration

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the
    Cisco Technical Assistance Center (TAC) or their contracted maintenance

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free

    Fixed Releases

    In the following tables, the left column lists releases of Cisco NX-OS
    Software. The right column indicates whether a release is affected by the
    vulnerability described in this advisory and the first release that
    includes the fix for this vulnerability.

    Nexus 3000 Series Switches and 9000 Series Switches in Standalone NX-OS
    Mode: CSCvj70029

    Cisco NX-OS Software Release    First Fixed Release for This Vulnerability
    Prior to 7.0(3)I5               Not vulnerable
    7.0(3)I5                        Not vulnerable
    7.0(3)I6                        Not vulnerable
    7.0(3)I7                        7.0(3)I7(4)
    9.2(1)                          Not vulnerable

    Nexus 3600 Platform Switches and 9500 R-Series Line Cards and Fabric
    Modules: CSCvj70029

    Cisco NX-OS Software Release First Fixed Release for This Vulnerability
    7.0(3)                       Software Maintenance Upgrades (SMUs) 7.0(3)F3(4)
    9.2(1)                       Not vulnerable

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.


  o This vulnerability was found during internal security testing.

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy. This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

  o Subscribe


  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-nxos-snmp

Revision History

    | Version  |        Description        | Section  | Status |       Date       |
    | 1.0      | Initial public release.   | -        | Final  | 2018-October-17  |

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967