Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0701.2 Cisco Nexus 9000 Series Switches Multiple Vulnerabilities 20 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Nexus 9000 Switches Publisher: Cisco Systems Operating System: Cisco Impact/Access: Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1618 CVE-2019-1617 CVE-2019-1591 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-tetra-ace https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxos-npv-dos https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-aci-shell-escape Revision History: March 20 2019: Updated cisco-sa-20190306-aci-shell-escape March 7 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Nexus 9000 Series Switches Standalone NX-OS Mode Tetration Analytics Agent Arbitrary Code Execution Vulnerability Priority: High Advisory ID: cisco-sa-20190306-tetra-ace First Published: 2019 March 6 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvh21898 CVE-2019-1618 CWE-275 CVSS Score: 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Tetration Analytics agent for Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, local attacker to execute arbitrary code as root . The vulnerability is due to an incorrect permissions setting. An attacker could exploit this vulnerability by replacing valid agent files with malicious code. A successful exploit could result in the execution of code supplied by the attacker. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190306-tetra-ace This advisory is part of the March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 26 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running a vulnerable release of Cisco NX-OS Software. For information about which Cisco NX-OS Software releases are vulnerable, see the Fixed Software section of this advisory. Note: Only affected devices with Feature Analytics enabled are vulnerable. To verify whether Feature Analytics is enabled, administrators can execute the show feature CLI command. The following example shows the output of this command on a device with this feature disabled: N9K-A# show feature Feature Name Instance State -------------------- -------- -------- analytics 1 disabled Determining the Cisco NX-OS Software Release Administrators can check the release of Cisco NX-OS Software that is running on a device by using the show version command in the device CLI. The following example shows the output of this command on a device that is running Cisco NX-OS Software Release 7.0(3)I5(1) : nxos-switch# show version Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (C) 2002-2016, Cisco and/or its affiliates. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under their own licenses, such as open source. This software is provided "as is," and unless otherwise stated, there is no warranty, express or implied, including but not limited to warranties of merchantability and fitness for a particular purpose. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or GNU General Public License (GPL) version 3.0 or the GNU Lesser General Public License (LGPL) Version 2.1 or Lesser General Public License (LGPL) Version 2.0. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://opensource.org/licenses/gpl-3.0.html and http://www.opensource.org/licenses/lgpl-2.1.php and http://www.gnu.org/licenses/old-licenses/library.txt. Software BIOS: version 07.57 NXOS: version 7.0(3)I5(1) [build 7.0(3)I5(0.9)] BIOS compile time: 06/29/2016 NXOS image file is: bootflash:///nxos.7.0.3.I5.0.9.bin NXOS compile time: 8/1/2016 23:00:00 [08/02/2016 00:30:32] . . . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Firepower 2100 Series Firewalls Firepower 4100 Series Next-Generation Firewalls Firepower 9300 Security Appliance MDS 9000 Series Multilayer Switches Nexus 1000V Switch for Microsoft Hyper-V Nexus 1000V Switch for VMware vSphere Nexus 2000 Series Fabric Extenders Nexus 3000 Series Switches Nexus 3500 Platform Switches Nexus 3600 Platform Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 7700 Series Switches Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode Nexus 9500 R-Series Line Cards and Fabric Modules UCS 6200 Series Fabric Interconnects UCS 6300 Series Fabric Interconnects UCS 6400 Series Fabric Interconnects Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To help ensure a complete upgrade solution, customers should consider that this advisory is part of a bundled publication. The following page provides a complete list of bundle advisories: Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication . In the following tables, the left column lists releases of Cisco FXOS Software or Cisco NX-OS Software. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Although the releases listed in the right column of each table include fixes for the vulnerabilities, the fix related to the Cisco NX-OS Software Image Signature Verification Vulnerability requires a BIOS upgrade as part of the software upgrade. Customers who are upgrading the software for any of the following products are advised to refer to this advisory for further details about the BIOS upgrade and affected product IDs and BIOS versions: Nexus 3000 Series Switches Nexus 9000 Series Fabric Switches in ACI mode Nexus 9000 Series Switches in standalone NX-OS mode Nexus 9500 R-Series Line Cards and Fabric Modules Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvh21898 Cisco NX-OS First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Prior to 7.0 Not vulnerable 7.0(3)I7(6) (3)I4 7.0(3)I4 7.0(3)I7(5) 7.0(3)I7(6) 7.0(3)I5 7.0(3)I7(5) 7.0(3)I7(6) 7.0(3)I6 7.0(3)I7(5) 7.0(3)I7(6) 7.0(3)I7 7.0(3)I7(5) 7.0(3)I7(6) 9.2 Not vulnerable 9.2(2) Additional Resources For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco MDS Series Switches Cisco Nexus 1000V for VMware Switch Cisco Nexus 3000 Series and 3500 Series Switches Cisco Nexus 5000 Series Switches Cisco Nexus 5500 Platform Switches Cisco Nexus 6000 Series Switches Cisco Nexus 7000 Series Switches Cisco Nexus 9000 Series Switches Cisco Nexus 9000 Series ACI-Mode Switches For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190306-tetra-ace Revision History o +---------+--------------------------+---------+--------+----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+----------------+ | 1.0 | Initial public release. | - | Final | 2019-March-06 | +---------+--------------------------+---------+--------+----------------+ =============================================================================== Cisco Nexus 9000 Series Switches Standalone NX-OS Mode Fibre Channel over Ethernet NPV Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-20190306-nxos-npv-dos First Published: 2019 March 6 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvk44504 CVE-2019-1617 CWE-913 CVSS Score: 7.4 AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X Summary o A vulnerability in the Fibre Channel over Ethernet (FCoE) N-port Virtualization (NPV) protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. The vulnerability is due to an incorrect processing of FCoE packets when the fcoe-npv feature is uninstalled. An attacker could exploit this vulnerability by sending a stream of FCoE frames from an adjacent host to an affected device. An exploit could allow the attacker to cause packet amplification to occur, resulting in the saturation of interfaces and a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190306-nxos-npv-dos This advisory is part of the March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 26 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco NX-OS Software: Nexus 9000 Series Switches in standalone NX-OS mode Only the following Nexus 9000 Series PIDs are vulnerable: N9K-C92160YC-X N9K-C9272Q N9K-C9236C N9K-C93180YC-EX N9K-X9732C-EX N9K-C93180LC-EX N9K-C93180YC-FX N9K-X9736C-FX To view the PIDs of the system, use the show inventory CLI command: 9K-A# show inventory NAME: "Chassis", DESCR: "Nexus9000 C93128TX Chassis" PID: N9K-C93128TX , VID: V02 , SN: SAL1822TF13 NAME: "Slot 1", DESCR: "1/10G-T Ethernet Module" PID: N9K-C93128TX , VID: V02 , SN: SAL1822TF13 NAME: "Slot 2", DESCR: "40G Ethernet Expansion Module" PID: N9K-M12PQ , VID: V01 , SN: SAL1910AMHD Note: For this vulnerability to occur, all of the following conditions must be met: The affected devices are configured as vPC peer switches. The fcoe-npv feature must be uninstalled. See Details for more information. For information about which Cisco NX-OS Software releases are vulnerable, see the Fixed Software section of this advisory. Determining the Cisco NX-OS Software Release Administrators can check the release of Cisco NX-OS Software that is running on a device by using the show version command in the device CLI. The following example shows the output of this command on a device that is running Cisco NX-OS Software Release 7.0(3)I5(1) : nxos-switch# show version Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (C) 2002-2016, Cisco and/or its affiliates. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under their own licenses, such as open source. This software is provided "as is," and unless otherwise stated, there is no warranty, express or implied, including but not limited to warranties of merchantability and fitness for a particular purpose. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or GNU General Public License (GPL) version 3.0 or the GNU Lesser General Public License (LGPL) Version 2.1 or Lesser General Public License (LGPL) Version 2.0. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://opensource.org/licenses/gpl-3.0.html and http://www.opensource.org/licenses/lgpl-2.1.php and http://www.gnu.org/licenses/old-licenses/library.txt. Software BIOS: version 07.57 NXOS: version 7.0(3)I5(1) [build 7.0(3)I5(0.9)] BIOS compile time: 06/29/2016 NXOS image file is: bootflash:///nxos.7.0.3.I5.0.9.bin NXOS compile time: 8/1/2016 23:00:00 [08/02/2016 00:30:32] . . . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Firepower 2100 Series Firepower 4100 Series Next-Generation Firewall Firepower 9300 Security Appliance MDS 9000 Series Multilayer Switches Nexus 1000V Switch for Microsoft Hyper-V Nexus 1000V Switch for VMware vSphere Nexus 2000 Series Fabric Extenders Nexus 3000 Series Switches Nexus 3500 Platform Switches Nexus 3600 Platform Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 7700 Series Switches Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode Nexus 9500 R-Series Line Cards and Fabric Modules UCS 6200 Series Fabric Interconnects UCS 6300 Series Fabric Interconnects UCS 6400 Series Fabric Interconnects Details o The affected devices are vulnerable when configured as outlined in the Vulnerable Products section. The following commands will help identify these conditions: To verify the status of a vPC configuration, use the show vpc brief CLI command: 9K-A# show vpc brief Legend: (*) - local vPC is down, forwarding via vPC peer-link vPC domain id : 10 Peer status : peer adjacency formed ok vPC keep-alive status : peer is alive Configuration consistency status : success Per-vlan consistency status : success Type-2 inconsistency reason : Consistency Check Not Performed vPC role : primary Number of vPCs configured : 1 Peer Gateway : Enabled Dual-active excluded VLANs : - Graceful Consistency Check : Enabled Auto-recovery status : Disabled Delay-restore status : Timer is off.(timeout = 30s) Delay-restore SVI status : Timer is off.(timeout = 10s) vPC Peer-link status --------------------------------------------------------------------- id Port Status Active vlans -- ---- ------ -------------------------------------------------- 1 Po1 up 1 vPC status ---------------------------------------------------------------------- id Port Status Consistency Reason Active vlans -- ---- ------ ----------- ------ ------------ 10 Po10 up success success 1 To verify the status of the fcoe-npv feature, use the show feature-set CLI command: 9K-A# show feature-set Feature Set Name ID State -------------------- -------- -------- fex 3 uninstalled mpls 4 uninstalled fabric 7 uninstalled fcoe-npv 8 uninstalled Indicators of Compromise o If the devices are configured as outlined in the Vulnerable Products section, a possible indicator of compromise would be a relativity low Rx input rate, except for the vPC peer link, coupled with a high Tx rate for all enabled interfaces on the vPC pair of affected Nexus 9000 Series Switches. To see interface throughput statistics, use the show interface counter table CLI command: (egrep -v "0.0 0.0% 0.0 0.0%", excludes interfaces with zero statistics for Rx and Tx columns) 9K-A# sh int counter table | egrep -v "0.0 0.0% 0.0 0.0%" Collecting and processing interface statistics ... ------------------------------------------------------------------------ Port Description Intvl Rx Mbps Rx % Tx Mbps Tx % ------------------------------------------------------------------------ Ethernet1/49 vPC_Peer_Link 30/30 36078.7 90.2% 36078.7 90.2% Ethernet1/50/1 N/A 30/30 2.5 0.0% 9019.6 90.2% Ethernet1/50/2 N/A 30/30 0.0 0.0% 9019.6 90.2% port-channel36 N/A 30/30 2.5 0.0% 9019.6 90.2% port-channel100 vPC_Peer_Link 30/30 36078.7 90.2% 36078.7 90.2% 9K-B# sh int counter table | egrep -v "0.0 0.0% 0.0 0.0%" Collecting and processing interface statistics ... ------------------------------------------------------------------------- Port Description Intvl Rx Mbps Rx % Tx Mbps Tx % ------------------------------------------------------------------------- Ethernet1/49 vPC_Peer_Link 30/30 36078.3 90.2% 36078.3 90.2% Ethernet1/50/1 N/A 30/30 0.0 0.0% 9019.6 90.2% port-channel36 N/A 30/30 0.0 0.0% 9019.6 90.2% port-channel100 vPC_Peer_Link 30/30 36078.3 90.2% 36078.3 90.2% Another potential indication would be output discards. To check for output discards, use the show interface counter errors non-zero CLI command: 9K-A# sh int counter errors non-zero ------------------------------------------------------------------------- Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards ------------------------------------------------------------------------- Eth1/49 0 0 0 0 0 426242 Eth1/50/1 0 0 0 0 0 9916163951 Eth1/50/2 0 0 0 0 0 9934560747 Po36 0 0 0 0 0 9916163951 Po100 0 0 0 0 0 426242 9K-B# sh int counter errors non-zero ------------------------------------------------------------------------- Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards ------------------------------------------------------------------------- Eth1/50/1 0 0 0 0 0 9915689573 Po36 0 0 0 0 0 9915689573 If there are any questions regarding the output of your device or the information above, please contact Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To help ensure a complete upgrade solution, customers should consider that this advisory is part of a bundled publication. The following page provides a complete list of bundle advisories: Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication . In the following tables, the left column lists releases of Cisco FXOS Software or Cisco NX-OS Software. The center column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability. The right column indicates whether a release is affected by all the vulnerabilities described in this bundle and which release includes fixes for those vulnerabilities. Although the releases listed in the right column of each table include fixes for the vulnerabilities, the fix related to the Cisco NX-OS Software Image Signature Verification Vulnerability requires a BIOS upgrade as part of the software upgrade. Customers who are upgrading the software for any of the following products are advised to refer to this advisory for further details about the BIOS upgrade and affected product IDs and BIOS versions: Nexus 3000 Series Switches Nexus 9000 Series Fabric Switches in ACI mode Nexus 9000 Series Switches in standalone NX-OS mode Nexus 9500 R-Series Line Cards and Fabric Modules Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCvk44504 Cisco NX-OS First Fixed Release First Fixed Release for All Software for This Vulnerabilities Described in the Bundle Release Vulnerability of Advisories Prior to 7.0 Not vulnerable 7.0(3)I7(6) (3)I4 7.0(3)I4 Not vulnerable 7.0(3)I7(6) 7.0(3)I5 7.0(3)I7(5) 7.0(3)I7(6) 7.0(3)I6 7.0(3)I7(5) 7.0(3)I7(6) 7.0(3)I7 7.0(3)I7(5) 7.0(3)I7(6) 9.2 9.2(2) 9.2(2) Additional Resources For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco MDS Series Switches Cisco Nexus 1000V for VMware Switch Cisco Nexus 3000 Series and 3500 Series Switches Cisco Nexus 5000 Series Switches Cisco Nexus 5500 Platform Switches Cisco Nexus 6000 Series Switches Cisco Nexus 7000 Series Switches Cisco Nexus 9000 Series Switches Cisco Nexus 9000 Series ACI-Mode Switches For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190306-nxos-npv-dos Revision History o +---------+--------------------------+---------+--------+----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+----------------+ | 1.0 | Initial public release. | - | Final | 2019-March-06 | +---------+--------------------------+---------+--------+----------------+ =============================================================================== Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Shell Escape Vulnerability Priority: High Advisory ID: cisco-sa-20190306-aci-shell-escape First Published: 2019 March 6 16:00 GMT Last Updated: 2019 March 19 21:08 GMT Version 1.1: Final Workarounds: No workarounds availableCisco Bug IDs: CSCvm52063 CVE-2019-1591 CWE-264 CVSS Score: 7.8 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X Summary o A vulnerability in a specific CLI command implementation of Cisco Nexus 9000 Series ACI Mode Switch Software could allow an authenticated, local attacker to escape a restricted shell on an affected device. The vulnerability is due to insufficient sanitization of user-supplied input when issuing a specific CLI command with parameters on an affected device. An attacker could exploit this vulnerability by authenticating to the device CLI and issuing certain commands. A successful exploit could allow the attacker to escape the restricted shell and execute arbitrary commands with root -level privileges on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190306-aci-shell-escape This advisory is part of the March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 26 vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products This vulnerability only affects Cisco Nexus 9000 Series ACI Mode Switches that are running a release prior to 13.2(4d). Determining the Cisco NX-OS Software Release Administrators can determine the release of Cisco NX-OS Software running on a device by using the show version command in the device CLI. The following example identifies the 11.2(2) Release: nxos-n9k-aci# show version Cisco Nexus Operating System (NX-OS) Software such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php Software BIOS: version N/A kickstart: version 11.2(2) [build 11.2(1.184)] system: version 11.2(2) [build 11.2(1.184)] . . . Determining the Cisco Application Policy Infrastructure Controller Software Release There is a one-to-one mapping between the software for Cisco Application Policy Infrastructure Controller (APIC) and Cisco Nexus 9000 Series Fabric Switches in ACI mode. To determine which Cisco APIC Software release is running on a device, administrators can disregard the leftmost digit of the Cisco NX-OS Software version number. In the preceding example, the output shows Cisco NX-OS Software version 11.2(2) , which maps to Cisco APIC Software Release 1.2(2) . Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has determined that this vulnerability does not affect the following Cisco products: Firepower 2100 Series Firewalls Firepower 4100 Series Next-Generation Firewalls Firepower 9300 Security Appliance MDS 9000 Series Multilayer Director Switches Nexus 1000V Switch for Microsoft Hyper-V Nexus 1000V Switch for VMware vSphere Nexus 2000 Series Fabric Extenders Nexus 3000 Series Switches Nexus 3500 Platform Switches Nexus 3600 Platform Switches Nexus 5000 Series Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 7000 Series Switches Nexus 7700 Series Switches Nexus 9000 Series Switches in standalone NX-OS mode Nexus 9500 R-Series Line Cards and Fabric Modules UCS 6200 Series Fabric Interconnects UCS 6300 Series Fabric Interconnects UCS 6400 Series Fabric Interconnects Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases This vulnerability is fixed in Cisco Nexus 9000 Series ACI Mode Switch Software Releases 13.2(4d) and later. The recommended action for all Cisco customers running a device with an affected version is to upgrade to the latest maintenance or latest long-lived version. Cisco suggests that customers visit the following page to determine what fixed release to choose: https://www.cisco.com/c/en/us/td /docs/switches/datacenter/aci/apic/sw/recommended-release/ b_Recommended_Cisco_ACI_Releases.html . Additional Resources For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recommends following the advisory guidance. Cisco MDS Series Switches Cisco Nexus 1000V for VMware Switch Cisco Nexus 3000 Series and 3500 Series Switches Cisco Nexus 5000 Series Switches Cisco Nexus 5500 Platform Switches Cisco Nexus 6000 Series Switches Cisco Nexus 7000 Series Switches Cisco Nexus 9000 Series Switches Cisco Nexus 9000 Series ACI-Mode Switches For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank Nicolas Biscos and Gaetan Ferry from Synacktiv for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190306-aci-shell-escape Revision History o +---------+-------------------+------------------+--------+---------------+ | Version | Description | Section | Status | Date | +---------+-------------------+------------------+--------+---------------+ | | Updated first | Vulnerable | | | | 1.1 | fixed software | Products, Fixed | Final | 2019-March-19 | | | release. | Software | | | +---------+-------------------+------------------+--------+---------------+ | 1.0 | Initial public | - | Final | 2019-March-06 | | | release. | | | | +---------+-------------------+------------------+--------+---------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXJG7AGaOgq3Tt24GAQgP6Q//cqzftoaGxQCL97Gzr/b48dGkGBCL4Cq2 0I/M+DeEs1V+dk8YyHxqvvYDAA9BHulIK/nA8Dr5X4BzeM22IcLH4MUzay3tNG38 r/SDwG7zmbxadYaR2qAAJVD/ULYWuVq8BgQWwqjkZuR/fzKvU6eA9FebK/BCIlL3 rxDbCWsowLz2abzn7jfFV4P74NUrTHI4BzJVc9FwS4xhYnidjgodiuqeVSKUrmLZ uVe086JJkxLC+NrLmRz4Firm8/t3IZg3tgleo+uBu9QZgfF3E5pScYQujk5o1rwV Lwu7Dj4ZEiKUy4+pp/nMUT6vnZgx+agT2G/HXHKAlXXEKG/NQg6A1D2RjIwVvgdk WdiPI2MJ7MyNAxfO0Dpj9bhObsqj1FmKYqteYEnzEA4/PswMrYLK8pOIv63k/FME +snUaUx/vz0D+K8B3oCZWy0GxwFGErhOzGBVgMU0pEfd+IX4OLTKejXaIxQkXU8g ZpB3Rp8Qi06l3Z7cUqjlLBSPTU35OdzKeXUBQRG8Q8278Sl52Ovkfn6CIAfGZnDP zWOHF0iSnnPDXWLVOs4zW0GpMXSq5EXYw27sIEa9eELi1xWL+U3pqD5cCqf46pt8 FPmjxu1DIz1oDMyp0VyTiLkGnuZtJr5juNu0SCVf4BwPumukhBnMKvPW3RTHKTsY qq/iwQykVjc= =Etsq -----END PGP SIGNATURE-----