Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1759.5
Cisco FXOS and NX-OS Software Vulnerabilities
25 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco FXOS and NX-OS Software
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1858 CVE-2019-1795 CVE-2019-1791
CVE-2019-1790 CVE-2019-1784 CVE-2019-1783
CVE-2019-1782 CVE-2019-1781 CVE-2019-1780
CVE-2019-1779 CVE-2019-1778 CVE-2019-1776
CVE-2019-1775 CVE-2019-1774 CVE-2019-1770
CVE-2019-1769 CVE-2019-1735 CVE-2019-1734
CVE-2019-1728
Reference: ESB-2019.1756
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-fxos-nxos-cmdinj-1781-1782
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-fxos-cmdinj-1779
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-fxos-cmdinj-1780
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-cmdinj-1795
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-conf-bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-fxos-info
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-nxos-snmp-dos
Comment: This bulletin contains seven (7) Cisco Systems security advisories.
Revision History: February 25 2020: Vendor updated vulnerable and fixed product details in advisory: cisco-sa-20190515-nxos-conf-bypass
May 22 2019: Updated cisco-sa-20190515-nxos-fxos-cmdinj-1780 to v1.1
May 21 2019: Corrected errors in the Fixed Release tables for MDS and N7K - cisco-sa-20190515-nxos-snmp-dos
May 17 2019: Added mitigation for cisco-sa-20190515-nxos-snmp-dos
May 16 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco FXOS and NX-OS Software Command Injection Vulnerabilities (CVE-2019-1781,
CVE-2019-1782)
Priority: Medium
Advisory ID: cisco-sa-20190515-fxos-nxos-cmdinj-1781-1782
First Published: 2019 May 15 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvh20027 CSCvh20389 CSCvi01445 CSCvi01448CSCvi91985 CSCvi92126 CSCvi92128 CSCvi92129CSCvi92130 CSCvi96522 CSCvi96524 CSCvi96525CSCvi96526 CSCvi96527
CVE-2019-1781
CVE-2019-1782
CWE-77
CVSS Score:
6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o Multiple vulnerabilities in the CLI of Cisco FXOS Software and Cisco NX-OS
Software could allow an authenticated, local attacker to execute arbitrary
commands on the underlying operating system of an affected device.
These vulnerabilities are due to insufficient validation of arguments
passed to certain CLI commands. An attacker could exploit these
vulnerabilities by including malicious input as the argument of an affected
command. A successful exploit could allow the attacker to execute arbitrary
commands on the underlying operating system with elevated privileges. An
attacker would need administrator credentials to exploit these
vulnerabilities.
Cisco has released software updates that address these vulnerabilities.
There are no workarounds that address these vulnerabilities.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-fxos-nxos-cmdinj-1781-1782
Affected Products
o Vulnerable Products
These vulnerabilities affect the following Cisco products if they are
running a vulnerable release of Cisco FXOS or NX-OS Software:
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
For information about which Cisco FXOS and NX-OS Software releases are
vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following
Cisco products:
Firepower 2100 Series
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6400 Series Fabric Interconnects
Details
o Cisco has disclosed several similar CLI command injection vulnerabilities.
They differ primarily in affected products and software versions. This
table shows the affected products for each vulnerability by Cisco bug ID
and CVE ID.
Security FP 4100/ MDS 9K/ N1000V N3K/N3500/ N3600/ N5500K/ UCS 6200/
Advisory 9300 N7K/ MS/VM N9K-NXOS N9500R N5600/ UCS 6300
N7700 ^1 N6K UCS 6400 ^
2
Cisco NX-OS N/A CSCvj63728 CSCvk52969 CSCvj63877 CSCvk52988 CSCvk52972 CSCvk52975
Software CSCvk52985 CSCvk52971
Command
Injection
Vulnerability
(CVE-2019-1735)
Cisco NX-OS N/A N/A N/A CSCvh20032 CSCvj00299 N/A N/A
Software Line
Card Command
Injection
Vulnerability
(CVE-2019-1769)
Cisco NX-OS N/A CSCvh75867 CSCvi92240 CSCvh75958 CSCvi92239 CSCvi92243 N/A
Software ^1 CSCvk36294 CSCvi92242
Command
Injection
Vulnerability
(CVE-2019-1770)
Cisco NX-OS N/A CSCvh75895 N/A CSCvh75968 CSCvi99195 CSCvi99198 N/A
Software CSCvh75909 CSCvh75976 CSCvi92256 CSCvi92260
Command CSCvi99197
Injection CSCvi92258
Vulnerabilities
(CVE-2019-1774,
CVE-2019-1775)
Cisco NX-OS N/A CSCvh20081 N/A CSCvh20076 CSCvi96429 CSCvi96432 CSCvi96433
Software CSCvi96431 ^2
Command
Injection
Vulnerability
(CVE-2019-1776)
Cisco NX-OS N/A N/A N/A CSCvh75996 CSCvj03877 N/A N/A
Software
Command
Injection
Vulnerability
(CVE-2019-1778)
Cisco FXOS and CSCvj00418 CSCve51688 N/A CSCvh76126 CSCvj00412 CSCvj00416 N/A
NX-OS Software
Command
Injection
Vulnerability
(CVE-2019-1779)
Cisco FXOS and CSCvi92332 CSCvi01440 N/A CSCvi01431 CSCvi92326 CSCvi92329 N/A
NX-OS Software CSCvi92328
Command
Injection
Vulnerability
(CVE-2019-1780)
Cisco FXOS and CSCvi96527 CSCvi01448 N/A CSCvi01445 CSCvi96522 CSCvi96525 CSCvi96526
NX-OS Software CSCvi92130 CSCvh20389 CSCvh20027 CSCvi91985 CSCvi92128 ^2
Command CSCvi96524 CSCvi92129
Injection CSCvi92126 ^2
Vulnerabilities
(CVE-2019-1781,
CVE-2019-1782)
Cisco NX-OS N/A CSCvi42281 N/A N/A N/A CSCvj03966 N/A
Software ^1
Command
Injection
Vulnerability
(CVE-2019-1783)
Cisco NX-OS N/A CSCvi42292 N/A N/A N/A CSCvj12273 CSCvj12274
Software ^1 ^2
Command
Injection
Vulnerability
(CVE-2019-1784)
Cisco NX-OS N/A CSCvh20112 N/A CSCvh20096 CSCvi96504 CSCvi96509 CSCvi96510
Software ^2
Command
Injection
Vulnerability
(CVE-2019-1790)
Cisco NX-OS N/A CSCvj63667 N/A CSCvj63270 CSCvk50889 CSCvk50876 N/A
Software CSCvk50873
Command
Injection
Vulnerability
(CVE-2019-1791)
Cisco FXOS and CSCvh66259 CSCvh20359 CSCvh66257 CSCvh20029 CSCvh66202 CSCvh66214 CSCvh66243
NX-OS Software CSCvk30761 CSCvh66219 ^2
Command
Injection
Vulnerability
(CVE-2019-1795)
1. CSCvh75867, CSCvi42281, and CSCvi42292 apply to only Nexus 7000 Series
and Nexus 7700 Series Switches. The MDS 9000 Series Multilayer Switches are
not affected by these vulnerabilities.
2. CSCvk52975 applies to UCS 6200, 6300, and 6400. For all other UCS
defects, only UCS 6200 and 6300 are affected (and UCS 6400 is not
affected).
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
No upgrade action is necessary for products that are running Cisco NX-OS
Software for cases in which customers have already applied a recommended
Cisco NX-OS Software release to address the March 2019 Cisco FXOS and NX-OS
Software bundle. See Cisco Event Response: March 2019 Cisco FXOS and NX-OS
Software Security Advisory Bundled Publication for a list of advisories in
the bundle.
Customers who have not applied a recommended release to address the March
2019 bundle or who have devices that are running Cisco FXOS software are
advised to upgrade to an appropriate release as indicated in the applicable
table in this section. In the following tables, the left column lists Cisco
FXOS and NX-OS Software releases. The right column indicates the first
release that includes the fix for the vulnerabilities that are described in
this advisory.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvi96527
and CSCvi92130
Cisco FXOS Software Release First Fixed Release for These Vulnerabilities
Prior 2.2 2.2.2.91
2.2 2.2.2.91
2.3 2.3.1.130
2.4 2.4.1.222
MDS 9000 Series Multilayer Switches: CSCvi01448 and CSCvh20389
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities
5.2 6.2(25)
6.2 6.2(25)
7.3 8.3(2)
8.1 8.3(2)
8.2 8.3(2)
8.3 8.3(2)
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvi01445 and CSCvh20027
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities
Prior to 7.0(3)I4 7.0(3)I4(9)
7.0(3)I4 7.0(3)I4(9)
7.0(3)I7 7.0(3)I7(4)
9.2(1) Not vulnerable
Nexus 3500 Platform Switches: CSCvi96524 and CSCvi92126
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities
Prior to 6.0(2)A8 6.0(2)A8(11)
6.0(2)A8 6.0(2)A8(11)
7.0(3)I4 7.0(3)I4(9)
7.0(3)I7 7.0(3)I7(4)
9.2 Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvi96522 and CSCvi91985
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities
7.0(3) 7.0(3)F3(5)
9.2 Not vulnerable
Nexus 5500, 5600, and 6000 Series Switches: CSCvi96525 and CSCvi92128
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities
Prior to 7.3 7.3(4)N1(1)
7.3 7.3(4)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvi01448 and CSCvh20389
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities
Prior to 6.2 6.2(22)
6.2 6.2(22)
7.2 7.3(3)D1(1)
7.3 7.3(3)D1(1)
8.0 8.2(3)
8.1 8.2(3)
8.2 8.2(3)
8.3 8.3(1)
UCS 6200 and 6300 Fabric Interconnects : CSCvi96526 and CSCvi92129
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities
Prior to 4.0 4.0(1a)
4.0 4.0(1a)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerabilities that are
described in this advisory.
Source
o These vulnerabilities were found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-fxos-nxos-cmdinj-1781-1782
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2019-May-15 |
+----------+---------------------------+----------+--------+--------------+
- -------------------------------------------------------------------------------
Cisco FXOS and NX-OS Software Command Injection Vulnerability (CVE-2019-1779)
Priority: Medium
Advisory ID: cisco-sa-20190515-nxos-fxos-cmdinj-1779
First Published: 2019 May 15 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCve51688CSCvh76126CSCvj00412CSCvj00416CSCvj00418
CVE-2019-1779
CWE-77
CVSS Score:
4.2 AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
Summary
o A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software
could allow an authenticated, local attacker to execute arbitrary commands
on the underlying operating system of an affected device with elevated
privileges.
The vulnerability is due to insufficient validation of arguments passed to
certain CLI commands. An attacker could exploit this vulnerability by
including malicious input as the argument of an affected command. A
successful exploit could allow the attacker to execute arbitrary commands
on the underlying operating system with elevated privileges. An attacker
would need valid device credentials to exploit this vulnerability.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-fxos-cmdinj-1779
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco FXOS Software or NX-OS Software:
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
For information about which Cisco FXOS Software and NX-OS Software releases
are vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Details
o Cisco has disclosed several similar CLI command injection vulnerabilities.
They differ primarily in affected products and software versions. This
table shows the affected products for each vulnerability by Cisco bug ID
and CVE ID.
Security FP 4100/ MDS 9K/ N1000V N3K/N3500/ N3600/ N5500K/ UCS 6200/
Advisory 9300 N7K/ MS/VM N9K-NXOS N9500R N5600/ UCS 6300
N7700 ^1 N6K UCS 6400 ^
2
Cisco NX-OS N/A CSCvj63728 CSCvk52969 CSCvj63877 CSCvk52988 CSCvk52972 CSCvk52975
Software CSCvk52985 CSCvk52971
Command
Injection
Vulnerability
(CVE-2019-1735)
Cisco NX-OS N/A N/A N/A CSCvh20032 CSCvj00299 N/A N/A
Software Line
Card Command
Injection
Vulnerability
(CVE-2019-1769)
Cisco NX-OS N/A CSCvh75867 CSCvi92240 CSCvh75958 CSCvi92239 CSCvi92243 N/A
Software ^1 CSCvk36294 CSCvi92242
Command
Injection
Vulnerability
(CVE-2019-1770)
Cisco NX-OS N/A CSCvh75895 N/A CSCvh75968 CSCvi99195 CSCvi99198 N/A
Software CSCvh75909 CSCvh75976 CSCvi92256 CSCvi92260
Command CSCvi99197
Injection CSCvi92258
Vulnerabilities
(CVE-2019-1774,
CVE-2019-1775)
Cisco NX-OS N/A CSCvh20081 N/A CSCvh20076 CSCvi96429 CSCvi96432 CSCvi96433
Software CSCvi96431 ^2
Command
Injection
Vulnerability
(CVE-2019-1776)
Cisco NX-OS N/A N/A N/A CSCvh75996 CSCvj03877 N/A N/A
Software
Command
Injection
Vulnerability
(CVE-2019-1778)
Cisco FXOS and CSCvj00418 CSCve51688 N/A CSCvh76126 CSCvj00412 CSCvj00416 N/A
NX-OS Software
Command
Injection
Vulnerability
(CVE-2019-1779)
Cisco FXOS and CSCvi92332 CSCvi01440 N/A CSCvi01431 CSCvi92326 CSCvi92329 N/A
NX-OS Software CSCvi92328
Command
Injection
Vulnerability
(CVE-2019-1780)
Cisco FXOS and CSCvi96527 CSCvi01448 N/A CSCvi01445 CSCvi96522 CSCvi96525 CSCvi96526
NX-OS Software CSCvi92130 CSCvh20389 CSCvh20027 CSCvi91985 CSCvi92128 ^2
Command CSCvi96524 CSCvi92129
Injection CSCvi92126 ^2
Vulnerabilities
(CVE-2019-1781,
CVE-2019-1782)
Cisco NX-OS N/A CSCvi42281 N/A N/A N/A CSCvj03966 N/A
Software ^1
Command
Injection
Vulnerability
(CVE-2019-1783)
Cisco NX-OS N/A CSCvi42292 N/A N/A N/A CSCvj12273 CSCvj12274
Software ^1 ^2
Command
Injection
Vulnerability
(CVE-2019-1784)
Cisco NX-OS N/A CSCvh20112 N/A CSCvh20096 CSCvi96504 CSCvi96509 CSCvi96510
Software ^2
Command
Injection
Vulnerability
(CVE-2019-1790)
Cisco NX-OS N/A CSCvj63667 N/A CSCvj63270 CSCvk50889 CSCvk50876 N/A
Software CSCvk50873
Command
Injection
Vulnerability
(CVE-2019-1791)
Cisco FXOS and CSCvh66259 CSCvh20359 CSCvh66257 CSCvh20029 CSCvh66202 CSCvh66214 CSCvh66243
NX-OS Software CSCvk30761 CSCvh66219 ^2
Command
Injection
Vulnerability
(CVE-2019-1795)
1. CSCvh75867, CSCvi42281, and CSCvi42292 apply to only Nexus 7000 Series
and Nexus 7700 Series Switches. The MDS 9000 Series Multilayer Switches are
not affected by these vulnerabilities.
2. CSCvk52975 applies to UCS 6200, 6300, and 6400. For all other UCS
defects, only UCS 6200 and 6300 are affected (and UCS 6400 is not
affected).
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
No upgrade action is necessary for customers who have already applied a
recommended release to address the March 2019 Cisco FXOS and NX-OS Software
bundle. See Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication for a list of advisories in the
bundle.
Customers who have not applied a recommended release to address the March
2019 bundle are advised to upgrade to an appropriate release as indicated
in the applicable table in this section. In the following tables, the left
column lists Cisco FXOS and NX-OS Software releases. The right column
indicates the first release that includes the fix for this vulnerability.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvj00418
Cisco FXOS Software Release First Fixed Release for This Vulnerability
Prior to 2.4 2.4.1.101
2.4 2.4.1.101
MDS 9000 Series Multilayer Switches: CSCve51688
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
5.2 6.2(25)
6.2 6.2(25)
7.3 8.1(1b)
8.1 8.1(1b)
8.2 8.3(1)
8.3 8.3(1)
Nexus 3000 Series Switches, Nexus 3500 Platform Switches, and Nexus 9000
Series Switches in Standalone NX-OS Mode: CSCvh76126
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.0(3)I4 7.0(3)I4(9)
7.0(3)I4 7.0(3)I4(9)
7.0(3)I7 7.0(3)I7(4)
9.2(1) Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvj00412
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3) 7.0(3)F3(5)
9.2 Not vulnerable
Nexus 5500 and 5600 Platform Switches and 6000 Series Switches: CSCvj00416
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.3 7.3(4)N1(1)
7.3 7.3(4)N1(1)
Nexus 7000 and 7700 Series Switches: CSCve51688
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.2 6.2(22)
6.2 6.2(22)
7.2 7.3(3)D1(1)
7.3 7.3(3)D1(1)
8.0 8.3(1)
8.1 8.3(1)
8.2 8.3(1)
8.3 8.3(1)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-fxos-cmdinj-1779
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2019-May-15 |
+----------+---------------------------+----------+--------+--------------+
- -------------------------------------------------------------------------------
Cisco FXOS and NX-OS Software Command Injection Vulnerability (CVE-2019-1780)
Priority: Medium
Advisory ID: cisco-sa-20190515-nxos-fxos-cmdinj-1780
First Published: 2019 May 15 16:00 GMT
Last Updated: 2019 May 21 13:55 GMT
Version 1.1: Final
Workarounds: No workarounds available
CVE-2019-1780
CWE-77
CVSS Score:
4.2 AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:X
Summary
o A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software
could allow an authenticated, local attacker with administrator credentials
to execute arbitrary commands on the underlying operating system of an
affected device with elevated privileges.
The vulnerability is due to insufficient validation of arguments passed to
certain CLI commands. An attacker could exploit this vulnerability by
including malicious input as the argument of an affected command. A
successful exploit could allow the attacker to execute arbitrary commands
on the underlying operating system with elevated privileges. An attacker
would need valid administrator credentials to exploit this vulnerability.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-fxos-cmdinj-1780
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco FXOS Software or NX-OS Software:
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
For information about which Cisco FXOS Software and NX-OS Software releases
are vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Details
o Cisco has disclosed several similar CLI command injection vulnerabilities.
They differ primarily in affected products and software versions. This
table shows the affected products for each vulnerability by Cisco bug ID
and CVE ID.
Security FP 4100/ MDS 9K/ N1000V N3K/N3500/ N3600/ N5500K/ UCS 6200/
Advisory 9300 N7K/ MS/VM N9K-NXOS N9500R N5600/ UCS 6300
N7700 ^1 N6K UCS 6400 ^
2
Cisco NX-OS N/A CSCvj63728 CSCvk52969 CSCvj63877 CSCvk52988 CSCvk52972 CSCvk52975
Software CSCvk52985 CSCvk52971
Command
Injection
Vulnerability
(CVE-2019-1735)
Cisco NX-OS N/A N/A N/A CSCvh20032 CSCvj00299 N/A N/A
Software Line
Card Command
Injection
Vulnerability
(CVE-2019-1769)
Cisco NX-OS N/A CSCvh75867 CSCvi92240 CSCvh75958 CSCvi92239 CSCvi92243 N/A
Software ^1 CSCvk36294 CSCvi92242
Command
Injection
Vulnerability
(CVE-2019-1770)
Cisco NX-OS N/A CSCvh75895 N/A CSCvh75968 CSCvi99195 CSCvi99198 N/A
Software CSCvh75909 CSCvh75976 CSCvi92256 CSCvi92260
Command CSCvi99197
Injection CSCvi92258
Vulnerabilities
(CVE-2019-1774,
CVE-2019-1775)
Cisco NX-OS N/A CSCvh20081 N/A CSCvh20076 CSCvi96429 CSCvi96432 CSCvi96433
Software CSCvi96431 ^2
Command
Injection
Vulnerability
(CVE-2019-1776)
Cisco NX-OS N/A N/A N/A CSCvh75996 CSCvj03877 N/A N/A
Software
Command
Injection
Vulnerability
(CVE-2019-1778)
Cisco FXOS and CSCvj00418 CSCve51688 N/A CSCvh76126 CSCvj00412 CSCvj00416 N/A
NX-OS Software
Command
Injection
Vulnerability
(CVE-2019-1779)
Cisco FXOS and CSCvi92332 CSCvi01440 N/A CSCvi01431 CSCvi92326 CSCvi92329 N/A
NX-OS Software CSCvi92328
Command
Injection
Vulnerability
(CVE-2019-1780)
Cisco FXOS and CSCvi96527 CSCvi01448 N/A CSCvi01445 CSCvi96522 CSCvi96525 CSCvi96526
NX-OS Software CSCvi92130 CSCvh20389 CSCvh20027 CSCvi91985 CSCvi92128 ^2
Command CSCvi96524 CSCvi92129
Injection CSCvi92126 ^2
Vulnerabilities
(CVE-2019-1781,
CVE-2019-1782)
Cisco NX-OS N/A CSCvi42281 N/A N/A N/A CSCvj03966 N/A
Software ^1
Command
Injection
Vulnerability
(CVE-2019-1783)
Cisco NX-OS N/A CSCvi42292 N/A N/A N/A CSCvj12273 CSCvj12274
Software ^1 ^2
Command
Injection
Vulnerability
(CVE-2019-1784)
Cisco NX-OS N/A CSCvh20112 N/A CSCvh20096 CSCvi96504 CSCvi96509 CSCvi96510
Software ^2
Command
Injection
Vulnerability
(CVE-2019-1790)
Cisco NX-OS N/A CSCvj63667 N/A CSCvj63270 CSCvk50889 CSCvk50876 N/A
Software CSCvk50873
Command
Injection
Vulnerability
(CVE-2019-1791)
Cisco FXOS and CSCvh66259 CSCvh20359 CSCvh66257 CSCvh20029 CSCvh66202 CSCvh66214 CSCvh66243
NX-OS Software CSCvk30761 CSCvh66219 ^2
Command
Injection
Vulnerability
(CVE-2019-1795)
1. CSCvh75867, CSCvi42281, and CSCvi42292 apply to only Nexus 7000 Series
and Nexus 7700 Series Switches. The MDS 9000 Series Multilayer Switches are
not affected by these vulnerabilities.
2. CSCvk52975 applies to UCS 6200, 6300, and 6400. For all other UCS
defects, only UCS 6200 and 6300 are affected (and UCS 6400 is not
affected).
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
No upgrade action is necessary for products that are running Cisco NX-OS
Software for cases in which customers have already applied a recommended
Cisco NX-OS Software release to address the March 2019 Cisco FXOS and NX-OS
Software bundle. See Cisco Event Response: March 2019 Cisco FXOS and NX-OS
Software Security Advisory Bundled Publication for a list of advisories in
the bundle.
Customers who have not applied a recommended release to address the March
2019 bundle or who have devices that are running Cisco FXOS software are
advised to upgrade to an appropriate release as indicated in the applicable
table in this section. In the following tables, the left column lists Cisco
FXOS and NX-OS Software releases. The right column indicates the first
release that includes the fix for this vulnerability.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvi92332
Cisco FXOS Software Release First Fixed Release for This Vulnerability
Prior to 2.3 2.3.1.130
2.3 2.3.1.130
2.4 2.4.1.122
MDS 9000 Series Multilayer Switches: CSCvi01440
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
5.2 6.2(25)
6.2 6.2(25)
7.3 8.1(1b)
8.1 8.1(1b)
8.2 8.2(3)
8.3 8.3(1)
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvi01431
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.0(3)I4 7.0(3)I4(9)
7.0(3)I4 7.0(3)I4(9)
7.0(3)I7 7.0(3)I7(4)
9.2(1) Not vulnerable
Nexus 3500 Platform Switches: CSCvi92328
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.0(2)A8 6.0(2)A8(11)
6.0(2)A8 6.0(2)A8(11)
7.0(3)I4 7.0(3)I4(9)
7.0(3)I7 7.0(3)I7(4)
9.2 Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvi92326
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3) 7.0(3)F3(5)
9.2 Not vulnerable
Nexus 5500 and 5600 Platform Switches and 6000 Series Switches: CSCvi92329
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.3 7.3(3)N1(1)
7.3 7.3(3)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvi01440
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.2 6.2(22)
6.2 6.2(22)
7.2 7.3(3)D1(1)
7.3 7.3(3)D1(1)
8.0 8.2(3)
8.1 8.2(3)
8.2 8.2(3)
8.3 8.3(1)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-fxos-cmdinj-1780
Revision History
o +---------+-----------------------------+----------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+-----------------------------+----------+--------+-------------+
| | Updated the Nexus 3000 | | | |
| 1.1 | Series Switches and Nexus | Fixed | Final | 2019-May-21 |
| | 9000 Series Switches Fixed | Software | | |
| | Release Table. | | | |
+---------+-----------------------------+----------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2019-May-15 |
+---------+-----------------------------+----------+--------+-------------+
- -------------------------------------------------------------------------------
Cisco FXOS and NX-OS Software Command Injection Vulnerability (CVE-2019-1795)
Priority: Medium
Advisory ID: cisco-sa-20190515-nxos-cmdinj-1795
First Published: 2019 May 15 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvh20029 CSCvh20359 CSCvh66202 CSCvh66214CSCvh66219 CSCvh66243 CSCvh66257 CSCvh66259CSCvk30761
CVE-2019-1795
CWE-77
CVSS Score:
6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o
A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software
could allow an authenticated, local attacker to execute arbitrary commands
on the underlying Linux operating system with the privilege level of root .
The vulnerability is due to insufficient validation of arguments passed to
a specific CLI command on the affected device. An attacker could exploit
this vulnerability by including malicious input as the argument of an
affected command. A successful exploit could allow the attacker to execute
arbitrary commands on the underlying Linux operating system with elevated
privileges. An attacker would need valid administrator credentials to
exploit this vulnerability.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-cmdinj-1795
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco FXOS or NX-OS Software:
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
For information about which Cisco FXOS and NX-OS Software releases are
vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6400 Series Fabric Interconnects
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
No upgrade action is necessary for customers who have already applied a
recommended release to address the March 2019 Cisco FXOS and NX-OS Software
bundle. See Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication for a list of advisories in the
bundle.
Customers who have not applied a recommended release to address the March
2019 bundle are advised to upgrade to an appropriate release as indicated
in the applicable table in this section. In the following tables, the left
column lists Cisco FXOS and NX-OS Software releases. The right column
indicates the first release that includes the fix for this vulnerability.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvh66259
Cisco FXOS Software Release First Fixed Release for This Vulnerability
Prior 2.0 2.0.1.201
2.0 2.0.1.201
2.1 2.2.2.54
2.2 2.2.2.54
2.3 2.3.1.73
2.4 2.4.1.101
MDS 9000 Series Multilayer Switches: CSCvh20359
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 8.2 8.2(3)
8.2 8.2(3)
8.3 8.3(1)
Nexus 1000V Switch for Microsoft Hyper-V: CSCvk30761
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 5.2 No fix available
5.2 No fix available
Nexus 1000V Switch for VMware vSphere : CSCvh66257
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 5.2 5.2(1)SV3(4.1)
5.2 5.2(1)SV3(4.1)
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvh20029
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.0(3)I4 7.0(3)I4(8)
7.0(3)I4 7.0(3)I4(8)
7.0(3)I7 7.0(3)I7(3)
9.2(1) Not vulnerable
Nexus 3500 Platform Switches: CSCvh66219
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.0(2)A8 6.0(2)A8(11)
6.0(2)A8 6.0(2)A8(11)
7.0(3)I4 7.0(3)I4(8)
7.0(3)I7 7.0(3)I7(3)
9.2 Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform :
CSCvh66202
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3) 7.0(3)F3(5)
9.2 Not vulnerable
Nexus 5500, 5600, and 6000 Series Switches: CSCvh66214
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.3 7.3(4)N1(1)
7.3 7.3(4)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvh20359
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.2 6.2(22)
6.2 6.2(22)
7.2 7.3(2)D1(3)
7.3 7.3(3)D1(1)
8.0 8.2(3)
8.1 8.2(3)
8.2 8.2(3)
8.3 8.3(1)
UCS 6200 and 6300 Fabric Interconnects: CSCvh66243
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 3.2 3.2(3a)
3.2 3.2(3a)
4.0 4.0(1a)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-cmdinj-1795
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2019-May-15 |
+----------+---------------------------+----------+--------+--------------+
- -------------------------------------------------------------------------------
Cisco FXOS and NX-OS Software Secure Configuration Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190515-nxos-conf-bypass
First Published: 2019 May 15 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
CVE-2019-1728
CWE-347
CVSS Score:
6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o
A vulnerability in the Secure Configuration Validation functionality of
Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated,
local attacker to run arbitrary commands at system boot time with the
privileges of root .
The vulnerability is due to a lack of proper validation of system files
when the persistent configuration information is read from the file system.
An attacker could exploit this vulnerability by authenticating to the
device and overwriting the persistent configuration storage with malicious
executable files. An exploit could allow the attacker to run arbitrary
commands at system startup and those commands will run as the root user.
The attacker must have valid administrative credentials for the device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-conf-bypass
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco FXOS or NX-OS Software:
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
For information about which Cisco FXOS or NX-OS Software releases are
vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6400 Series Fabric Interconnects
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
No upgrade action is necessary for customers who have already applied a
recommended release to address the March 2019 Cisco FXOS and NX-OS Software
bundle. See Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication for a list of advisories in the
bundle.
Customers who have not applied a recommended release to address the March
2019 bundle are advised to upgrade to an appropriate release as indicated
in the applicable table in this section. In the following tables, the left
column lists Cisco FXOS and NX-OS Software releases. The right column
indicates the first release that includes the fix for this vulnerability.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvi96584
Cisco FXOS Software Release First Fixed Release for This Vulnerability
Prior 2.4 2.4.1.101
2.4 2.4.1.101
MDS 9000 Series Multilayer Switches: CSCvi96578
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 8.1 8.1(1b)
8.1 8.1(1b)
8.2 8.3(1)
8.3 8.3(1)
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvh20223
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.0(3)I7 7.0(3)I7(3)
7.0(3)I7 7.0(3)I7(3)
9.2(1) Not vulnerable
Nexus 3500 Platform Switches: CSCvi96579
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.0(2)A8 6.0(2)A8(11)
6.0(2)A8 6.0(2)A8(11)
7.0(3) 7.0(3)I7(3)
9.2 Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform :
CSCvi96577
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3) 7.0(3)F3(5)
9.2 Not vulnerable
Nexus 5500, 5600, and 6000 Series Switches: CSCvi96580
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.3 7.3(4)N1(1)
7.3 7.3(4)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvi96578
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.2 6.2(22)
6.2 6.2(22)
7.2 7.3(3)D1(1)
7.3 7.3(3)D1(1)
8.0 8.3(1)
8.1 8.3(1)
8.2 8.3(1)
8.3 8.3(1)
UCS 6200 and 6300 Series Fabric Interconnects: CSCvi96583
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 4.0 4.0(1a)
4.0 4.0(1a)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-conf-bypass
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2019-May-15 |
+----------+---------------------------+----------+--------+--------------+
- -------------------------------------------------------------------------------
Cisco FXOS and NX-OS Software Secure Configuration Bypass Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190515-nxos-conf-bypass
First Published: 2019 May 15 16:00 GMT
Last Updated: 2020 February 24 13:57 GMT
Version 1.2: Final
Workarounds: No workarounds available
CVE-2019-1728
CWE-347
CVSS Score:
6.7 AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Summary
o
A vulnerability in the Secure Configuration Validation functionality of
Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated,
local attacker to run arbitrary commands at system boot time with the
privileges of root .
The vulnerability is due to a lack of proper validation of system files
when the persistent configuration information is read from the file system.
An attacker could exploit this vulnerability by authenticating to the
device and overwriting the persistent configuration storage with malicious
executable files. An exploit could allow the attacker to run arbitrary
commands at system startup and those commands will run as the root user.
The attacker must have valid administrative credentials for the device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-conf-bypass
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco FXOS or NX-OS Software:
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
For information about which Cisco FXOS or NX-OS Software releases are
vulnerable, see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
No upgrade action is necessary for customers who have already applied a
recommended release to address the March 2019 Cisco FXOS and NX-OS Software
bundle. See Cisco Event Response: March 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication for a list of advisories in the
bundle.
Customers who have not applied a recommended release to address the March
2019 bundle are advised to upgrade to an appropriate release as indicated
in the applicable table in this section. In the following tables, the left
column lists Cisco FXOS and NX-OS Software releases. The right column
indicates the first release that includes the fix for this vulnerability.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvi96584
Cisco FXOS Software Release First Fixed Release for This Vulnerability
Prior 2.4 2.4.1.101
2.4 2.4.1.101
MDS 9000 Series Multilayer Switches: CSCvi96578
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 8.1 8.1(1b)
8.1 8.1(1b)
8.2 8.3(1)
8.3 8.3(1)
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvh20223
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.0(3)I7 7.0(3)I7(3)
7.0(3)I7 7.0(3)I7(3)
9.2(1) Not vulnerable
Nexus 3500 Platform Switches: CSCvi96579
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.0(2)A8 6.0(2)A8(11)
6.0(2)A8 6.0(2)A8(11)
7.0(3) 7.0(3)I7(3)
9.2 Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform :
CSCvi96577
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3) 7.0(3)F3(5)
9.2 Not vulnerable
Nexus 5500, 5600, and 6000 Series Switches: CSCvi96580
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.3 7.3(4)N1(1)
7.3 7.3(4)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvi96578
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.2 6.2(22)
6.2 6.2(22)
7.2 7.3(3)D1(1)
7.3 7.3(3)D1(1)
8.0 8.3(1)
8.1 8.3(1)
8.2 8.3(1)
8.3 8.3(1)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-conf-bypass
Revision History
o +---------+---------------------+-------------+--------+------------------+
| Version | Description | Section | Status | Date |
+---------+---------------------+-------------+--------+------------------+
| | Removed the Bug | | | |
| 1.2 | identifier | General | Final | 2020-February-24 |
| | CSCvi96583 for UCS. | | | |
+---------+---------------------+-------------+--------+------------------+
| | Moved the UCS 6200 | | | |
| | and 6300 Series | Vulnerable | | |
| | Fabric | Products, | | |
| | Interconnects to | Products | | |
| 1.1 | the list in | Confirmed | Final | 2020-February-21 |
| | Products Confirmed | Not | | |
| | Not Vulnerable and | Vulnerable, | | |
| | removed fixed | Fixed | | |
| | software tables for | Software | | |
| | those products. | | | |
+---------+---------------------+-------------+--------+------------------+
| 1.0 | Initial public | - | Final | 2019-May-15 |
| | release. | | | |
+---------+---------------------+-------------+--------+------------------+
- -------------------------------------------------------------------------------
Cisco FXOS and NX-OS Software Simple Network Management Protocol Denial of
Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20190515-nxos-snmp-dos
First Published: 2019 May 15 16:00 GMT
Last Updated: 2019 May 16 13:48 GMT
Version 1.1: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvc58707 CSCvd45657 CSCvn19457 CSCvn19463CSCvn19464 CSCvn19465 CSCvn19468 CSCvn19483
CVE-2019-1858
CWE-20
CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o
A vulnerability in the Simple Network Management Protocol (SNMP) input
packet processor of Cisco FXOS Software and Cisco NX-OS Software could
allow an unauthenticated, remote attacker to cause the SNMP application to
leak system memory, which could cause an affected device to restart
unexpectedly.
The vulnerability is due to improper error handling when processing inbound
SNMP packets. An attacker could exploit this vulnerability by sending
multiple crafted SNMP packets to an affected device. A successful exploit
could allow the attacker to cause the SNMP application to leak system
memory because of an improperly handled error condition during packet
processing. Over time, this memory leak could cause the SNMP application to
restart multiple times, leading to a system-level restart and a denial of
service (DoS) condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-snmp-dos
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco FXOS or NX-OS Software:
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
Determining the Status of SNMP
Administrators can determine whether SNMP is running on a device by using
the show running-config snmp command in the device CLI. If the command
returns output, SNMP is configured.
nxos-switch# show running-config snmp
.
.
.
snmp-server user admin network-admin auth md5 ***** priv ***** localizedkey
snmp-server community community-string group network-admin
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Nexus 3600 Platform Switches
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Details
o SNMP is an application-layer protocol that provides a standardized
framework and a common language for monitoring and managing devices in a
network. It defines a message format for communication between SNMP
managers and agents.
An SNMP agent gathers data from the SNMP MIB, which is the repository of
information about device parameters and network data. It also responds to
requests from an SNMP manager to get or set data. An SNMP agent contains
MIB variables for which values can be requested or changed by an SNMP
manager by using get or set operations.
This vulnerability affects all versions of SNMP supported on the
device-Versions 1, 2c, and 3. An attacker could exploit this vulnerability
by sending a specific SNMP packet to an affected device via IPv4 or IPv6.
Only traffic directed to the affected system can be used to exploit this
vulnerability.
To exploit this vulnerability, the attacker does not always require valid
SNMP credentials for the affected system.
Indicators of Compromise
o Exploitation of this vulnerability could result in the following system log
error message:
%SYSMGR-2-SERVICE_CRASHED: Service "snmpd" (PID 25407) hasn't caught signal 6 (core will be saved).
In addition, there would be an snmpd core file on the device, which can be
viewed by using the show cores CLI command. If the snmpd core file is
present, customers are advised to contact the Cisco Technical Assistance
Center (TAC) to review the file and determine whether the vulnerability has
been exploited on the device.
# show cores
VDC Module Instance Process-name PID Date(Year-Month-Day Time)
--- ------ -------- --------------- -------- -------------------------
1 28 1 snmpd 25407 2017-03-07 14:15:23
Workarounds
o There are no workarounds that address this vulnerability.
As a mitigation for the vulnerability that is described in this advisory,
administrators can configure an access control list (ACL) on an SNMP
community to filter incoming SNMP requests to ensure that SNMP polling is
performed only by trusted SNMP clients. In the following example, the
device will accept incoming SNMP requests only from a single trusted host,
192.168.1.2:
switch# show access-list acl_for_snmp
IPV4 ACL acl_for_snmp
10 permit udp 192.168.1.2/32 192.168.1.3/32 eq snmp
To implement the preceding ACL, administrators can add it to the
snmp-server community configuration command:
switch# show running-config snmp
!Command: show running-config snmp
snmp-server community mycompany
use-acl acl_for_snmp
For additional information about configuring ACLs to filter incoming SNMP
requests, see Filtering SNMP Requests in the NX-OS Configuration Guide .
Fixed Software
o Cisco has released free software updates that address the vulnerabilities
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c
/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
No upgrade action is necessary for products that are running Cisco NX-OS
Software for cases in which customers have already applied a recommended
Cisco NX-OS Software release to address the March 2019 Cisco FXOS and NX-OS
Software bundle. See Cisco Event Response: March 2019 Cisco FXOS and NX-OS
Software Security Advisory Bundled Publication for a list of advisories in
the bundle.
Customers who have not applied a recommended release to address the March
2019 bundle or who have devices that are running Cisco FXOS software are
advised to upgrade to an appropriate release as indicated in the applicable
table in this section. In the following tables, the left column lists Cisco
FXOS and NX-OS Software releases. The right column indicates the first
release that includes the fix for this vulnerability.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvn19468
Cisco FXOS Software Release First Fixed Release for This Vulnerability
Prior 2.2 2.2.2.91
2.2 2.2.2.91
2.3 2.3.1.130
2.4 2.4.1.222
2.6 2.6.1.131
MDS 9000 Series Multilayer Switches: CSCvc58707
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
5.2 6.2(11)
6.2 6.2(11)
8.1 8.1(1)
8.2 Not vulnerable
8.3 Not vulnerable
Nexus 1000V Switch for Microsoft Hyper-V: CSCvn19483
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 5.2 5.2(1)SM3(2.1)
5.2 5.2(1)SM3(2.1)
Nexus 1000V Switch for VMware vSphere: CSCvn19463
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 5.2 5.2(1)SV3(4.1a)
5.2 5.2(1)SV3(4.1a)
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvd45657
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.0(3)I4 7.0(3)I4(8)
7.0(3)I4 7.0(3)I4(8)
7.0(3)I7 7.0(3)I7(2)
9.2(1) Not vulnerable
Nexus 3500 Platform Switches: CSCvn19464
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.0(2)A8 6.0(2)A8(4)
6.0(2)A8 6.0(2)A8(4)
7.0(3)I7 7.0(3)I7(2)
9.2 Not vulnerable
Nexus 5500, 5600, and 6000 Series Switches: CSCvn19465
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 7.1 7.1(5)N1(1b)
7.1 7.1(5)N1(1b)
7.3 7.3(4)N1(1a)
Nexus 7000 and 7700 Series Switches: CSCvc58707
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 6.2 6.2(10)
6.2 6.2(10)
7.2 7.2(0)D1(1)
7.3 Not vulnerable
8.0 8.1(1)
8.1 Not vulnerable
8.2 Not vulnerable
8.3 Not vulnerable
Nexus 9000 Series Fabric Switches in ACI Mode: CSCvn19457
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Prior to 13.1 14.0(2c)
13.1 14.0(2c)
13.2 14.0(2c)
14.0 14.0(2c)
14.1 14.1(1i)
Nexus 9500 R-Series Switching Platform: CSCvd45657
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3) 7.0(3)F3(1)
9.2 Not vulnerable
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190515-nxos-snmp-dos
Revision History
o +---------+--------------------------+-------------+--------+-------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+-------------+--------+-------------+
| 1.1 | Added mitigation. | Workarounds | Final | 2019-May-16 |
+---------+--------------------------+-------------+--------+-------------+
| 1.0 | Initial public release. | - | Final | 2019-May-15 |
+---------+--------------------------+-------------+--------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXlRmf2aOgq3Tt24GAQjWQA/9E8ucdlm98iT06OgbbBsDIIZG3tsstoBB
hf5oEhyXB6Pl2Sut9eaUVOPcmcmU6gZXJwClIRyTk2Ml6amBnKhuGnG9ghkLA9cX
GuG9lXAe9sITfKAf/qvlAikRz4sQtz+6QPwAKrAoyF3PSXWA/EnXH+S+CXGxJvOn
+JiR8MB7A6qQduHU9d9jkDj2IFolpM2tIi+CiGlBdjaF3FItMTk6ntMZBGSwcSz7
8CU3Dbm9Y/h0WwROw9j01aPsFhaQSpXuNSsuQ4aHZpNEsG0QqvlkGsdSIzw7lxTJ
y1MkeXsZknweMgJZKIJvCLXMXZZhzYeO2xZFBv8GF8V6Ktpphyn//poYoy9ezNom
JRSBTB7n10d10KMqoHgMHLG9tqzf5xG8CVwGhXAjsX2OLFuJhNpLRO2zMHWHF04o
YDMBNWHJNl8037n7QncTiDeOcSSbrdLuvkPWVCJspwNgcR0PbQKPkV9spHOb0cAN
HVaCWQyeX+2UUc+xrSvhUGLpk5uI59bVQLIyRksDk63Irr4TcmYSRC4dL6CFPIfw
19kaa5Rmy0+UHJAV4ntI9M8Aytyq1/MC4OxVnZsdUsQSR79L1uJurK7f6Q/yuCbf
/+tlGgZF/qsCvaddg5OvUwFgQ/mEPINVKxkzpWOxicWan0HM1jRX1KOog55h6Vmk
VJpmpkWwksc=
=Kk89
-----END PGP SIGNATURE-----