Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3276.2
Cisco FXOS and NX-OS security updates
10 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco NX-OS
Cisco FXOS
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1969 CVE-2019-1968 CVE-2019-1967
CVE-2019-1965 CVE-2019-1964 CVE-2019-1963
CVE-2019-1962
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-fxnxos-snmp-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-api-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ntp-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-snmp-bypass
Comment: This bulletin contains seven (7) Cisco Systems security advisories.
Revision History: October 10 2019: Updated cisco-sa-20190828-fxnxos-snmp-dos/cisco-sa-20190828-nxos-fsip-dos/cisco-sa-20190828-nxos-ntp-dos/cisco-sa-20190828-nxos-memleak-dos
August 29 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Cisco FXOS and NX-OS Software Authenticated Simple Network Management Protocol
Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20190828-fxnxos-snmp-dos
First Published: 2019 August 28 16:00 GMT
Last Updated: 2019 October 8 14:45 GMT
Version 1.1: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvn13270 CSCvn23529 CSCvn23531 CSCvn23532CSCvn23534 CSCvn23535 CSCvn23536 CSCvn23537CSCvn23538
CVE-2019-1963
CWE-20
CVSS Score:
7.7 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Simple Network Management Protocol (SNMP) input
packet processor of Cisco FXOS Software and Cisco NX-OS Software could
allow an authenticated, remote attacker to cause the SNMP application on an
affected device to restart unexpectedly.
The vulnerability is due to improper validation of Abstract Syntax Notation
One (ASN.1)-encoded variables in SNMP packets. An attacker could exploit
this vulnerability by sending a crafted SNMP packet to the SNMP daemon on
the affected device. A successful exploit could allow the attacker to cause
the SNMP application to restart multiple times, leading to a system-level
restart and a denial of service (DoS) condition.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-fxnxos-snmp-dos
This advisory is part of the August 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication, which includes five Cisco Security
Advisories that describe five vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: August 2019 Cisco
FXOS and NX-OS Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they have SNMP
configured and they are running a vulnerable release of Cisco FXOS or NX-OS
Software:
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
For information about which Cisco FXOS and NX-OS Software releases are
vulnerable, see the Fixed Software section of this advisory.
Determine the Status of SNMP
The following subsections describe how to determine whether SNMP is running
on a device.
Determine the Status of SNMP for Cisco FXOS Software
Administrators can determine whether SNMP is running on a device by using
the show configuration | include snmp command in the device CLI. If the
command returns output, SNMP is configured.
fxos-switch# show configuration | include snmp
enable snmp
Determine the Status of SNMP for Cisco NX-OS Software
Administrators can determine whether SNMP is running on a device by using
the show running-config snmp command in the device CLI. If the command
returns output, SNMP is configured.
nxos-switch# show running-config snmp
.
.
.
snmp-server user admin network-admin auth md5 ***** priv ***** localizedkey
snmp-server community community-string group network-admin
Determine the Status of SNMP for Cisco UCS
Administrators can determine whether SNMP is running on a device by using
the show configuration | grep snmp command in the device CLI. If the
command returns output, SNMP is configured.
# show configuration | grep snmp
enable snmp
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect Cisco Firepower
2100 Series.
Details
o SNMP is an application-layer protocol that provides a standardized
framework and a common language for monitoring and managing devices in a
network. It defines a message format for communication between SNMP
managers and agents.
An SNMP agent gathers data from the SNMP MIB, which is the repository of
information about device parameters and network data. It also responds to
requests from an SNMP manager to get or set data. An SNMP agent contains
MIB variables for which values can be requested or changed by an SNMP
manager by using get or set operations.
This vulnerability affects all versions of SNMP supported on the
device-versions 1, 2c, and 3. An attacker could exploit this vulnerability
by sending a specific SNMP packet to an affected device using IPv4 or IPv6.
Only traffic directed to an affected system can be used to exploit this
vulnerability. This vulnerability is not exploitable if the device is
configured only to send SNMP traps.
To exploit this vulnerability by using SNMP Version 2c or earlier, the
attacker must know the SNMP read-only community string for the affected
system. A community string is a password that is applied to a device to
restrict both read-only and read-write access to the SNMP data on the
device. These community strings, as with all passwords, should be chosen
carefully to ensure that they are not trivial. They should also be changed
at regular intervals and in accordance with network security policies. For
example, the strings should be changed when a network administrator changes
roles or leaves the organization.
To exploit this vulnerability by using SNMP Version 3 (SNMPv3), the
attacker must have SNMPv3 credentials for the affected system.
Workarounds
o There are no workarounds that address this vulnerability.
Mitigation for Cisco NX-OS Software
As a mitigation for the vulnerability that is described in this advisory,
administrators of systems that are running Cisco NX-OS Software can
configure an access control list (ACL) on an SNMP community to filter
incoming SNMP requests to ensure that SNMP polling is performed only by
trusted SNMP clients. In the following example, the device will accept
incoming SNMPv2c requests only from a single trusted host, 192.168.1.2:
switch# show access-list acl_for_snmp
IPV4 ACL acl_for_snmp
10 permit udp 192.168.1.2/32 192.168.1.3/32 eq snmp
To implement the preceding ACL, administrators can add it to the
snmp-server community configuration command:
switch# show running-config snmp
!Command: show running-config snmp
snmp-server community mycompany use-acl acl_for_snmp
For additional information about configuring ACLs to filter incoming SNMP
requests, see Filtering SNMP Requests in the Cisco NX-OS Configuration
Guide .
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license: https://www.cisco.com/c/en/us/products/
end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in
the applicable table in this section. To help ensure a complete upgrade
solution, customers should consider that this advisory is part of a bundled
publication. The following page provides a complete list of bundle
advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication .
In the following table(s), the left column lists releases of Cisco FXOS
Software or Cisco NX-OS Software. The center column indicates whether a
release is affected by the vulnerability described in this advisory and the
first release that includes the fix for this vulnerability. The right
column indicates whether a release is affected by all the vulnerabilities
described in this bundle and which release includes fixes for those
vulnerabilities.
Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvn23536
Cisco FXOS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 2.2.2.91 2.2.2.91
2.2
2.2 2.2.2.91 2.2.2.91
2.3 2.3.1.130 2.3.1.130
2.4 2.4.1.222 2.4.1.222
2.6 Not vulnerable Not vulnerable
MDS 9000 Series Multilayer Switches: CSCvn23531
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
5.2 6.2(29) 6.2(29)
6.2 6.2(29) 6.2(29)
7.3 8.3(2) 8.4(1)
8.1 8.3(2) 8.4(1)
8.2 8.3(2) 8.4(1)
8.3 8.3(2) 8.4(1)
8.4 Not vulnerable Not vulnerable
Nexus 1000 Virtual Edge for VMware vSphere: CSCvn23532
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
5.2 5.2(1)SV5(1.2) 5.2(1)SV5(1.2)
Nexus 1000V Switch for Microsoft Hyper-V: CSCvn23537
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than No fix at this time No fix at this time
5.2
5.2 No fix at this time No fix at this time
Nexus 1000V Switch for VMware vSphere: CSCvn23532
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 5.2(1)SV3(4.1a) 5.2(1)SV3(4.1a)
5.2
5.2 5.2(1)SV3(4.1a) 5.2(1)SV3(4.1a)
Nexus 3000 Series Switches, Nexus 3500 Platform Switches, and Nexus 9000
Series Switches in Standalone NX-OS Mode: CSCvn13270
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than Not vulnerable 7.0(3)I4(9) ^2
7.0(3)I4 ^2
7.0(3)I4 ^2 7.0(3)I4(9) ^2 7.0(3)I4(9) ^2
7.0(3)I7 7.0(3)I7(6) 7.0(3)I7(6)
9.2 9.2(3) 9.2(3)
9.3 Not vulnerable Not vulnerable
2. The 7.0(3)I4 code train is not applicable to Nexus 3500 Platform
Switches.
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvn13270
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
7.0(3)F 9.2(3) 9.2(3)
9.2 9.2(3) 9.2(3)
9.3 Not vulnerable Not vulnerable
Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches:
CSCvn23534
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 7.1(5)N1(1b) 7.1(5)N1(1b)
7.1
7.1 7.1(5)N1(1b) 7.1(5)N1(1b)
7.3 7.3(5)N1(1) 7.3(5)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvn23531
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 6.2(22) 6.2(22)
6.2
6.2 6.2(22) 6.2(22)
7.2 7.3(4)D1(1) 7.3(4)D1(1)
7.3 7.3(4)D1(1) 7.3(4)D1(1)
8.0 8.2(3) 8.2(3)
8.1 8.2(3) 8.2(3)
8.2 8.2(3) 8.2(3)
8.3 8.3(2) 8.4(1)
8.4 Not vulnerable Not vulnerable
Nexus 9000 Series Fabric Switches in ACI Mode: CSCvn23529
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 13.2(7k) 13.2(7k)
13.1
13.1 13.2(7k) 13.2(7k)
13.2 13.2(7k) 13.2(7k)
14.0 14.0(2c) 14.0(2c)
14.1 14.1(1i) 14.1(1i)
UCS 6200, 6300, and 6400 Series Fabric Interconnects: CSCvn23535 and
CSCvn23538
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 3.2(3l) 3.2(3l)
3.2
3.2 3.2(3l) 3.2(3l)
4.0 4.0(4e) 4.0(4e)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software Security
Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-fxnxos-snmp-dos
Revision History
o +---------+-------------------------+----------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------+----------+--------+-----------------+
| 1.1 | Updated the MDS and UCS | Fixed | Final | 2019-October-08 |
| | fixed release tables. | Software | | |
+---------+-------------------------+----------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-28 |
+---------+-------------------------+----------+--------+-----------------+
- --------------------------------------------------------------------------------
Cisco NX-OS Software Cisco Fabric Services over IP Denial of Service
Vulnerability
Priority: High
Advisory ID: cisco-sa-20190828-nxos-fsip-dos
First Published: 2019 August 28 16:00 GMT
Last Updated: 2019 October 8 14:45 GMT
Version 1.1: Final
Workarounds: No workarounds available
CVE-2019-1962
CWE-20
CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Cisco Fabric Services component of Cisco NX-OS
Software could allow an unauthenticated, remote attacker to cause process
crashes, which can result in a denial of service (DoS) condition on an
affected system.
The vulnerability is due to insufficient validation of TCP packets when
processed by the Cisco Fabric Services over IP (CFSoIP) feature. An
attacker could exploit this vulnerability by sending a malicious Cisco
Fabric Services TCP packet to an affected device. A successful exploit
could allow the attacker to cause process crashes, resulting in a device
reload and a DoS condition.
Note: There are three distribution methods that can be configured for Cisco
Fabric Services. This vulnerability affects only distribution method
CFSoIP, which is disabled by default. See the Details section for more
information.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-fsip-dos
This advisory is part of the August 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication, which includes five Cisco Security
Advisories that describe five vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: August 2019 Cisco
FXOS and NX-OS Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco NX-OS Software with CFSoIP enabled:
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
Administrators can display the distribution status of Cisco Fabric Services
for a device by using the show cfs status command in the device CLI, as
shown in the following example:
switch# show cfs status
Distribution : Enabled
Distribution over IP : Disabled
IPv4 multicast address : 239.255.70.83
IPv6 multicast address : ff15::efff:4653
Distribution over Ethernet : Disabled
In the preceding example, the Enabled value in the Distribution field of
the command output indicates that Cisco Fabric Services is enabled for the
device and the device is configured to use the default Cisco Fabric
Services distribution type, which is CFSoFC. The Disabled value in the
Distribution over IP field and the Distribution over Ethernet field
indicates that the device is not configured to use the CFSoIP and CFSoE
distribution types.
For information about which Cisco NX-OS Software releases are vulnerable,
see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 Security Appliances
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6400 Series Fabric Interconnects
Details
o Cisco Fabric Services provides a common infrastructure for distributing and
synchronizing configuration data between Cisco devices that are on the same
network and with virtual port channels (vPCs). This includes configuration
data for applications and features that are compatible with and enabled to
use Cisco Fabric Services-for example, Distributed Device Alias Services,
Network Time Protocol (NTP), and user and administrator roles. To
distribute and synchronize data, Cisco Fabric Services can be configured to
use any of the following distribution types:
Cisco Fabric Services over Fiber Channel (CFSoFC) - Distributes data over a
Fiber Channel (FC), such as a virtual storage area network (VSAN). CFSoFC
distribution is enabled by default.
Cisco Fabric Services over Ethernet (CFSoE) - Distributes data over an
Ethernet network. For vPC support, Cisco Fabric Services must be configured
to use this distribution type. CFSoE distribution is disabled by default.
Cisco Fabric Services over IP (CFSoIP) - Distributes data over an IPv4 or
IPv6 network. CFSoIP distribution is disabled by default.
Note: The vulnerability described in this advisory is due to insufficient
input validation that could occur when the affected software processes
CFSoIP TCP packets received during distribution and synchronization
operations. An attack is possible from any node that has IP network
connectivity to the management interface of an affected device and cannot
occur from the data plane.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in
the applicable table in this section. To help ensure a complete upgrade
solution, customers should consider that this advisory is part of a bundled
publication. The following page provides a complete list of bundle
advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication .
In the following table(s), the left column lists releases of Cisco FXOS
Software or Cisco NX-OS Software. The center column indicates whether a
release is affected by the vulnerability described in this advisory and the
first release that includes the fix for this vulnerability. The right
column indicates whether a release is affected by all the vulnerabilities
described in this bundle and which release includes fixes for those
vulnerabilities.
MDS 9000 Series Multilayer Switches: CSCva64492
Cisco NX-OS First Fixed First Fixed Release for All
Software Release for This Vulnerabilities Described in
Release Vulnerability the Bundle of Advisories
5.2 6.2(25) 6.2(29)
6.2 6.2(25) 6.2(29)
7.3 8.1(1) 8.4(1)
8.1 Not vulnerable 8.4(1)
8.2 Not vulnerable 8.4(1)
8.3 Not vulnerable 8.4(1)
8.4 Not vulnerable Not vulnerable
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvj59058
Cisco NX-OS First Fixed First Fixed Release for All
Software Release for This Vulnerabilities Described in
Release Vulnerability the Bundle of Advisories
Earlier
than 7.0(3) 7.0(3)I4(9) 7.0(3)I4(9)
I4
7.0(3)I4 7.0(3)I4(9) 7.0(3)I4(9)
7.0(3)I7 7.0(3)I7(4) 7.0(3)I7(6)
9.2 Not vulnerable 9.2(3)
9.3 Not vulnerable Not vulnerable
Nexus 3500 Platform Switches: CSCvk70631
Cisco NX-OS First Fixed First Fixed Release for All
Software Release for This Vulnerabilities Described in
Release Vulnerability the Bundle of Advisories
Earlier
than 6.0(2) 6.0(2)A8(10) 6.0(2)A8(11)
A8
6.0(2)A8 6.0(2)A8(10) 6.0(2)A8(11)
7.0(3)I7 7.0(3)I7(4) 7.0(3)I7(6)
9.2 Not vulnerable 9.2(3)
9.3 Not vulnerable Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvk70625
Cisco NX-OS First Fixed First Fixed Release for All
Software Release for This Vulnerabilities Described in
Release Vulnerability the Bundle of Advisories
7.0(3) 7.0(3)F3(3c) ^1 9.2(3)
9.2 Not vulnerable 9.2(3)
9.3 Not vulnerable Not vulnerable
^ 1 This vulnerability is not fixed in 7.0(3)F3(4) but is fixed in 7.0(3)F3
(5).
Nexus 5500, 5600, and 6000 Series Switches: CSCvk70632
Cisco NX-OS First Fixed First Fixed Release for All
Software Release for This Vulnerabilities Described in
Release Vulnerability the Bundle of Advisories
Earlier 7.1(5)N1(1b) 7.1(5)N1(1b)
than 7.1
7.1 7.1(5)N1(1b) 7.1(5)N1(1b)
7.3 7.3(4)N1(1) 7.3(5)N1(1)
Nexus 7000 and 7700 Series Switches: CSCva64492
Cisco NX-OS First Fixed First Fixed Release for All
Software Release for This Vulnerabilities Described in
Release Vulnerability the Bundle of Advisories
Earlier 6.2(22) 6.2(22)
than 6.2
6.2 6.2(22) 6.2(22)
7.2 7.3(3)D1(1) 7.3(4)D1(1)
7.3 7.3(3)D1(1) 7.3(4)D1(1)
8.0 Not vulnerable 8.2(3)
8.1 Not vulnerable 8.2(3)
8.2 Not vulnerable 8.2(3)
8.3 Not vulnerable 8.4(1)
8.4 Not vulnerable Not vulnerable
UCS 6200 and 6300 Series Fabric Interconnects: CSCvk70633
Cisco NX-OS First Fixed First Fixed Release for All
Software Release for This Vulnerabilities Described in
Release Vulnerability the Bundle of Advisories
Earlier 3.2(3l) 3.2(3l)
than 3.2
3.2 3.2(3l) 3.2(3l)
4.0 4.0(2d) 4.0(4e)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software Security
Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-fsip-dos
Revision History
o +---------+------------------------+-----------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+------------------------+-----------+--------+-----------------+
| | Updated the MDS and | Fixed | | |
| 1.1 | UCS fixed release | Software. | Final | 2019-October-08 |
| | tables. | | | |
+---------+------------------------+-----------+--------+-----------------+
| 1.0 | Initial public | - | Final | 2019-August-28 |
| | release. | | | |
+---------+------------------------+-----------+--------+-----------------+
- --------------------------------------------------------------------------------
Cisco NX-OS Software IPv6 Denial of Service Vulnerability
Priority: High
Advisory ID: cisco-sa-20190828-nxos-ipv6-dos
First Published: 2019 August 28 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvn46719
CVE-2019-1964
CWE-20
CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the IPv6 traffic processing of Cisco NX-OS Software
could allow an unauthenticated, remote attacker to cause an unexpected
restart of the netstack process on an affected device.
The vulnerability is due to improper validation of IPv6 traffic sent
through an affected device. An attacker could exploit this vulnerability by
sending a malformed IPv6 packet through an affected device. A successful
exploit could allow the attacker to cause a denial of service (DoS)
condition while the netstack process restarts. A sustained attack could
lead to a reboot of the device.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-ipv6-dos
This advisory is part of the August 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication, which includes five Cisco Security
Advisories that describe five vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: August 2019 Cisco
FXOS and NX-OS Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco NX-OS Software:
Nexus 7000 Series Switches
Nexus 7700 Series Switches
For information about which Cisco NX-OS Software releases are vulnerable,
see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Indicators of Compromise
o Exploitation of this vulnerability could cause an affected device to
generate a core file of the /isan/bin/routing-sw/netstack process. To view
device core files, administrators can use the show core command in the
NX-OS CLI. To determine whether the device has been compromised by
exploitation of this vulnerability, administrators are advised to contact
the Cisco Technical Assistance Center (TAC) to review the core files.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in
the applicable table in this section. To help ensure a complete upgrade
solution, customers should consider that this advisory is part of a bundled
publication. The following page provides a complete list of bundle
advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication .
In the following table(s), the left column lists releases of Cisco FXOS
Software or Cisco NX-OS Software. The center column indicates whether a
release is affected by the vulnerability described in this advisory and the
first release that includes the fix for this vulnerability. The right
column indicates whether a release is affected by all the vulnerabilities
described in this bundle and which release includes fixes for those
vulnerabilities.
Nexus 7000 and 7700 Series Switches: CSCvn46719
Cisco First Fixed Release for This First Fixed Release for All
NX-OS Vulnerability Vulnerabilities Described in
Software the Bundle of Advisories
Release
Earlier Not vulnerable Not vulnerable
than 8.1
8.1 8.2(3) 8.2(3)
8.2 8.2(3) 8.2(3)
8.3 Maintenance Upgrade 8.4(1)
n7000-s2-dk9.8.3.2.CSCvn46719.bin
8.4 Not vulnerable Not vulnerable
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
Related to This Advisory
o ERP-72243
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-ipv6-dos
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-28 |
+---------+--------------------------+---------+--------+-----------------+
- --------------------------------------------------------------------------------
Cisco NX-OS Software NX-API Denial of Service Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190828-nxos-api-dos
First Published: 2019 August 28 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Cisco Bug IDs: CSCvn26502CSCvn31273CSCvn57900
CVE-2019-1968
CVSS Score:
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X
Summary
o A vulnerability in the NX-API feature of Cisco NX-OS Software could allow
an unauthenticated, remote attacker to cause an NX-API system process to
unexpectedly restart.
The vulnerability is due to incorrect validation of the HTTP header of a
request that is sent to the NX-API. An attacker could exploit this
vulnerability by sending a crafted HTTP request to the NX-API on an
affected device. A successful exploit could allow the attacker to cause a
denial of service (DoS) condition in the NX-API service; however, the NX-OS
device itself would still be available and passing network traffic.
Note: The NX-API feature is disabled by default.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-api-dos
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected the following Cisco
products if they were running a vulnerable release of Cisco NX-OS Software
and had the NX-API feature enabled:
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
For information about which Cisco NX-OS Software releases were vulnerable
at the time of publication, see the Fixed Software section of this
advisory. See the Details section in the bug ID(s) at the top of this
advisory for the most complete and current information.
This vulnerability affects only Cisco NX-OS devices that have the NX-API
feature enabled. The NX-API feature is disabled by default. To determine
whether an affected device is configured with the NX-API feature enabled,
administrators can use the show feature | include nxapi command from the
Cisco NX-OS CLI and verify that the feature is enabled. The following
example shows the NX-API feature enabled on a device that is running Cisco
NX-OS Software:
nxos-switch# show feature | include nxapi
nxapi 1 enabled
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 Security Appliances
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Details
o To exploit this vulnerability, a remote attacker must send a crafted HTTP
or HTTPS packet to external NX-API.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.
MDS 9000 Series Multilayer Switches: CSCvn26502
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
5.2 Not vulnerable
6.2 Not vulnerable
7.3 8.3(2)
8.1 8.3(2)
8.2 8.3(2)
8.3 8.3(2)
8.4 Not vulnerable
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvn31273
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 6.0(2)U4 Not vulnerable
6.0(2)U4, 6.0(2)U5, and 6.0(2)U6 7.0(3)I4(9)
6.1(2)I1 Not vulnerable
6.1(2)I2 and 6.1(2)I3 7.0(3)I4(9)
7.0(3)I4 7.0(3)I4(9)
7.0(3)I7 7.0(3)I7(6)
9.2 9.2(3)
9.3 Not vulnerable
Nexus 3500 Platform Switches: CSCvn31273
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 6.0(2)A Not vulnerable
6.0(2)A8 6.0(2)A8(11a)
7.0(3)I7 7.0(3)I7(6)
9.2 9.2(3)
9.3 Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvn31273
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3)F 9.2(3)
9.2 9.2(3)
9.3 Not vulnerable
Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches:
CSCvn57900
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 7.1 Not vulnerable
7.1 7.3(5)N1(1)
7.2 7.3(5)N1(1)
7.3 7.3(5)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvn26502
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 6.2 Not vulnerable
6.2 Not vulnerable
7.2 7.3(4)D1(1)
7.3 7.3(4)D1(1)
8.0 8.2(3)
8.1 8.2(3)
8.2 8.2(3)
8.3 8.3(2)
8.4 Not vulnerable
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during internal security testing.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-api-dos
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-28 |
+---------+--------------------------+---------+--------+-----------------+
- --------------------------------------------------------------------------------
Cisco NX-OS Software Network Time Protocol Denial of Service Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190828-nxos-ntp-dos
First Published: 2019 August 28 16:00 GMT
Last Updated: 2019 October 8 14:45 GMT
Version 1.1: Final
Workarounds: YesCisco Bug IDs: CSCvm35740CSCvm51138CSCvm51139CSCvm51142
CVE-2019-1967
CWE-399
CVSS Score:
8.6 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Network Time Protocol (NTP) feature of Cisco NX-OS
Software could allow an unauthenticated, remote attacker to cause a denial
of service (DoS) condition on an affected device.
The vulnerability is due to excessive use of system resources when the
affected device is logging a drop action for received MODE_PRIVATE (Mode 7)
NTP packets. An attacker could exploit this vulnerability by flooding the
device with a steady stream of Mode 7 NTP packets. A successful exploit
could allow the attacker to cause high CPU and memory usage on the affected
device, which could cause internal system processes to restart or cause the
affected device to unexpectedly reload.
Note: The NTP feature is enabled by default.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-ntp-dos
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected the following Cisco
products if they were running a vulnerable release of Cisco NX-OS Software
and had the NTP feature enabled:
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
For information about which Cisco NX-OS Software releases were vulnerable
at the time of publication, see the Fixed Software section of this
advisory. See the Details section in the bug ID(s) at the top of this
advisory for the most complete and current information.
The NTP feature is enabled by default. Administrators can use the show
running-config | include "feature ntp" command from the Cisco NX-OS CLI to
verify if the NTP feature has been manually disabled. If the command
returns empty output, the NTP feature is enabled and the device is
vulnerable. If the command returns the following output, the NTP feature is
disabled and the device is not vulnerable:
nxos-switch# show running-config | include "feature ntp"
no feature ntp
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 Security Appliances
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Indicators of Compromise
o Exploitation of this vulnerability could cause the affected device to
generate a constant stream of log messages similar to the following:
USER-3-SYSTEM_MSG: NTP Receive dropping message: Received NTP private mode packet. Drop count: x - ntpd
Customers are advised to contact their support organization to review the
log messages and determine whether the vulnerability has been exploited on
the device.
Workarounds
o Administrators can use the following configuration command on affected
devices to reduce the logging level for daemons from the default value of 3
to 2:
logging level daemon 2
This would eliminate device exposure to this issue but would cause the
affected device to stop logging other syslog messages that might be useful
to monitor device operations.
Customers who are not using the NTP feature can disable it with the no
feature ntp configuration command.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.
MDS 9000 Series Multilayer Switches: CSCvm51139
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
5.2 Not vulnerable
6.2 6.2(29)
7.3 8.3(2)
8.1 8.3(2)
8.2 8.3(2)
8.3 8.3(2)
8.4 Not vulnerable
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvm51138
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 6.0(2)U6 Not vulnerable
6.0(2)U6 7.0(3)I7(6)
7.0(3)I 7.0(3)I7(6)
9.2 9.2(2)
9.3 Not vulnerable
Nexus 3500 Platform Switches: CSCvm51142
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 6.0(2)A6 Not vulnerable
6.0(2)A8 6.0(2)A8(11)
7.0(3)I7 7.0(3)I7(6)
9.2 9.2(2)
9.3 Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvm51138
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3)F 9.2(2)
9.2 9.2(2)
9.3 Not vulnerable
Nexus 5500, 5600, and 6000 Series Switches: CSCvm35740
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 7.1(4) Not vulnerable
7.1(4) 7.3(5)N1(1)
7.1(5) 7.3(5)N1(1)
7.2 7.3(5)N1(1)
7.3 7.3(5)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvm51139
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 6.2 Not vulnerable
6.2 7.3(3)D1(1)
7.2 7.3(3)D1(1)
7.3 7.3(3)D1(1)
8.0 8.2(3)
8.1 8.2(3)
8.2 8.2(3)
8.3 8.3(2)
8.4 Not vulnerable
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Action Links for This Advisory
o Snort Rule 29393
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-ntp-dos
Revision History
o +---------+------------------------+-----------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+------------------------+-----------+--------+-----------------+
| 1.1 | Updated the MDS fixed | Fixed | Final | 2019-October-08 |
| | release table. | Software | | |
+---------+------------------------+-----------+--------+-----------------+
| 1.0 | Initial public | - | Final | 2019-August-28 |
| | release. | | | |
+---------+------------------------+-----------+--------+-----------------+
- --------------------------------------------------------------------------------
Cisco NX-OS Software Remote Management Memory Leak Denial of Service
Vulnerability
Priority: High
Advisory ID: cisco-sa-20190828-nxos-memleak-dos
First Published: 2019 August 28 16:00 GMT
Last Updated: 2019 October 8 14:45 GMT
Version 1.1: Final
Workarounds: No workarounds availableCisco Bug IDs: CSCvi15409CSCvn50393CSCvn50443CSCvn50446CSCvn52167
CVE-2019-1965
CWE-400
CVSS Score:
7.7 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Summary
o A vulnerability in the Virtual Shell (VSH) session management for Cisco
NX-OS Software could allow an authenticated, remote attacker to cause a VSH
process to fail to delete upon termination. This can lead to a build-up of
VSH processes that overtime can deplete system memory. When there is no
system memory available, this can cause unexpected system behaviors and
crashes.
The vulnerability is due to the VSH process not being properly deleted when
a remote management connection to the device is disconnected. An attacker
could exploit this vulnerability by repeatedly performing a remote
management connection to the device and terminating the connection in an
unexpected manner. A successful exploit could allow the attacker to cause
the VSH processes to fail to delete, which can lead to a system-wide denial
of service (DoS) condition. The attacker must have valid user credentials
to log in to the device using the remote management connection.
Cisco has released software updates that address this vulnerability. There
are no workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-memleak-dos
This advisory is part of the August 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication, which includes five Cisco Security
Advisories that describe five vulnerabilities. For a complete list of the
advisories and links to them, see Cisco Event Response: August 2019 Cisco
FXOS and NX-OS Software Security Advisory Bundled Publication .
Affected Products
o Vulnerable Products
This vulnerability affects the following Cisco products if they are running
a vulnerable release of Cisco NX-OS Software:
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
For information about which Cisco NX-OS Software releases are vulnerable,
see the Fixed Software section of this advisory.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 Security Appliances
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6400 Series Fabric Interconnects
Details
o The most common example of a remote management protocol is SSH but any
management protocol including S/FTP, S/COPY and others to the management
interface could trigger this vulnerability.
Indicators of Compromise
o Exploitation of this vulnerability can result in several different
indicators of compromise on an affected device.
1. Exploitation of this vulnerability can result in a system memory leak
due to the build-up of zombie VSH processes that were not terminated
correctly. Administrators can view the process list using the show process
NX-OS CLI command, as in the following example:
# show processes
PID State PC Start_cnt TTY Process
----- ----- -------- ----------- ---- -------------
1574 S f537a3c 1 - vsh
2063 S f537a3c 1 - vsh
.
.
.
4308 S f537a3c 1 - vsh
4690 S f537a3c 1 - vsh
4733 S f537a3c 1 - vsh
5081 S f537a3c 1 - vsh
5949 S f537a3c 1 - vsh
6118 S f537a3c 1 - vsh
6723 S f537a3c 1 - vsh
7315 S f537a3c 1 - vsh
9841 S f537a3c 1 - vsh
12866 S f537a3c 1 - vsh
13465 S f537a3c 1 - vsh
14836 S f537a3c 1 - vsh
15568 S f537a3c 1 - vsh
18289 S f537a3c 1 - vsh
18580 S f537a3c 1 - vsh
18601 S f537a3c 1 - vsh
19254 S f537a3c 1 - vsh
19782 S f537a3c 1 - vsh
20367 S f537a3c 1 - vsh
20517 S f537a3c 1 - vsh
20931 S f537a3c 1 - vsh
21753 S f537a3c 1 - vsh
22728 S f537a3c 1 - vsh
23544 S f537a3c 1 - vsh
23947 S f537a3c 1 - vsh
24825 S f537a3c 1 - vsh
25139 S f537a3c 1 - vsh
25862 S f537a3c 1 - vsh
26172 S f537a3c 1 - vsh
26334 S f537a3c 1 - vsh
26691 S f537a3c 1 - vsh
27303 S f537a3c 1 - vsh
28750 S f537a3c 1 - vsh
2. Exploitation of this vulnerability can result in the following error
message when a user has a remote connection on the device:
Error: Too many open files in system
3. Exploitation of this vulnerability could cause an affected device to
reload and generate a core file. Because the core file is the end result of
the system memory leak, the actual process to crash can be different each
time. To view the device core files, administrators can use the show core
command in the NX-OS CLI. Contact the Cisco Technical Assistance Center
(TAC) to review the core file and determine whether the device has been
compromised by exploitation of this vulnerability.
Workarounds
o There are no workarounds that address this vulnerability.
Mitigation for Cisco NX-OS Software-Configure a VTY Access Class
On some platforms that are running Cisco NX-OS Software, it is possible to
limit exposure of an affected device by creating a vty access control list
(ACL) on the device and configuring the ACL to permit only known, trusted
devices to connect to the device via Telnet and Secure Shell (SSH).
This mitigation is not available on some platforms that are running Cisco
NX-OS and should be used only where applicable.
There is no Cisco UCS mitigation that addresses this vulnerability.
The ACL in this example is for IPv4. This vulnerability can also be
exploited against IPv6 interfaces. If the NX-OS device is configured for
IPv6, the same ACL should be configured for the IPv6 address range.
The following example shows an ACL that permits access to vtys from the
192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying
access from all other addresses:
ip access-list vtyacl
10 permit tcp 192.168.1.0/24 172.16.1.2/32 line vty
access-class vtyacl in
For more information about restricting traffic to vtys, see the Cisco Nexus
7000 Series NX-OS Security Configuration Guide . It is considered a best
practice for an NX-OS device to have a vty ACL configured. Refer to the
Cisco Guide to Securing Cisco NX-OS Software Devices for additional
information about hardening Cisco NX-OS devices.
Fixed Software
o Cisco has released free software updates that address the vulnerability
described in this advisory. Customers may only install and expect support
for software versions and feature sets for which they have purchased a
license. By installing, downloading, accessing, or otherwise using such
software upgrades, customers agree to follow the terms of the Cisco
software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a
valid license, procured from Cisco directly, or through a Cisco authorized
reseller or partner. In most cases this will be a maintenance upgrade to
software that was previously purchased. Free security software updates do
not entitle customers to a new software license, additional software
feature sets, or major revision upgrades.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service
contract and customers who make purchases through third-party vendors but
are unsuccessful in obtaining fixed software through their point of sale
should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared
to provide the URL of this advisory as evidence of entitlement to a free
upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in
the applicable table in this section. To help ensure a complete upgrade
solution, customers should consider that this advisory is part of a bundled
publication. The following page provides a complete list of bundle
advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software
Security Advisory Bundled Publication .
In the following table(s), the left column lists releases of Cisco FXOS
Software or Cisco NX-OS Software. The center column indicates whether a
release is affected by the vulnerability described in this advisory and the
first release that includes the fix for this vulnerability. The right
column indicates whether a release is affected by all the vulnerabilities
described in this bundle and which release includes fixes for those
vulnerabilities.
MDS 9000 Series Multilayer Switches: CSCvn50393
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
5.2 6.2(27) 6.2(29)
6.2 6.2(27) 6.2(29)
7.3 8.4(1) 8.4(1)
8.1 8.4(1) 8.4(1)
8.2 8.4(1) 8.4(1)
8.3 8.4(1) 8.4(1)
8.4 Not vulnerable Not vulnerable
Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
NX-OS Mode: CSCvi15409
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 7.0(3)I4(9) 7.0(3)I4(9)
7.0(3)I4
7.0(3)I4 7.0(3)I4(9) 7.0(3)I4(9)
7.0(3)I7 7.0(3)I7(4) 7.0(3)I7(6)
9.2 Not vulnerable 9.2(3)
9.3 Not vulnerable Not vulnerable
Nexus 3500 Platform Switches : CSCvi15409
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
6.0(2)A 6.0(2)A8(11) 6.0(2)A8(11)
7.0(3)I7 7.0(3)I7(4) 7.0(3)I7(6)
9.2 Not vulnerable 9.2(3)
9.3 Not vulnerable Not vulnerable
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvi15409
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
7.0(3) 9.2(1) 9.2(3)
9.2 Not vulnerable 9.2(3)
9.4 Not vulnerable Not vulnerable
Nexus 5500, 5600, and 6000 Series Switches: CSCvn50446
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 7.1(5)N1(1b) 7.1(5)N1(1b)
7.1
7.1 7.1(5)N1(1b) 7.1(5)N1(1b)
7.3 7.3(5)N1(1) 7.3(5)N1(1)
Nexus 7000 and 7700 Series Switches: CSCvn50443
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 6.2(22) 6.2(22)
6.2
6.2 6.2(22) 6.2(22)
7.2 7.3(4)D1(1) 7.3(4)D1(1)
7.3 7.3(4)D1(1) 7.3(4)D1(1)
8.0 8.2(3) 8.2(3)
8.1 8.2(3) 8.2(3)
8.2 8.2(3) 8.2(3)
8.3 8.4(1) 8.4(1)
8.4 Not vulnerable Not vulnerable
UCS 6200 and 6300 Series Fabric Interconnects: CSCvn52167
Cisco NX-OS First Fixed Release First Fixed Release for All
Software for This Vulnerabilities Described in the Bundle
Release Vulnerability of Advisories
Earlier than 3.2(3k) 3.2(3l)
3.2
3.2 3.2(3k) 3.2(3l)
4.0 4.0(2e) 4.0(4e)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during the resolution of a Cisco TAC support
case.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
Related to This Advisory
o Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software Security
Advisory Bundled Publication
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-memleak-dos
Revision History
o +---------+-------------------------+----------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+-------------------------+----------+--------+-----------------+
| 1.1 | Updated the MDS and UCS | Fixed | Final | 2019-October-08 |
| | fixed release tables. | Software | | |
+---------+-------------------------+----------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-28 |
+---------+-------------------------+----------+--------+-----------------+
- --------------------------------------------------------------------------------
Cisco NX-OS Software SNMP Access Control List Configuration Name Bypass
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20190828-nxos-snmp-bypass
First Published: 2019 August 28 16:00 GMT
Version 1.0: Final
Workarounds: Yes
Cisco Bug IDs: CSCvo17439
CVE-2019-1969
CVSS Score:
5.8 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X
Summary
o
A vulnerability in the implementation of the Simple Network Management
Protocol (SNMP) Access Control List (ACL) feature of Cisco NX-OS Software
could allow an unauthenticated, remote attacker to perform SNMP polling of
an affected device, even if it is configured to deny SNMP traffic.
The vulnerability is due to an incorrect length check when the configured
ACL name is the maximum length, which is 32 ASCII characters. An attacker
could exploit this vulnerability by performing SNMP polling of an affected
device. A successful exploit could allow the attacker to perform SNMP
polling that should have been denied. The attacker has no control of the
configuration of the SNMP ACL name.
Cisco has released software updates that address this vulnerability. There
are workarounds that address this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-snmp-bypass
Affected Products
o Vulnerable Products
At the time of publication, this vulnerability affected the following Cisco
products if they were running a vulnerable release of Cisco NX-OS Software
with a specific SNMP ACL configured:
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Switching Platform
For information about which Cisco NX-OS Software releases were vulnerable
at the time of publication, see the Fixed Software section of this
advisory. See the Details section in the bug ID(s) at the top of this
advisory for the most complete and current information.
Administrators can use the show running-config | include "snmp-server"
command to view the configured SNMP ACL for IPv4:
nxos-switch# show running-config | include "snmp-server"
snmp-server user <USER> use-ipv4acl <ACL NAME>
If this command is present in the running configuration and the ACL name
has the maximum length of 32 characters, the device should be considered
vulnerable. This applies to IPv6 SNMP ACLs as well.
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Cisco has confirmed that this vulnerability does not affect the following
Cisco products:
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 Security Appliances
MDS 9000 Series Multilayer Switches
Nexus 1000 Virtual Edge for VMware vSphere
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects
UCS 6400 Series Fabric Interconnects
Details
o To exploit this vulnerability via SNMP Version 2c or earlier, the attacker
must know the SNMP read-only community string for the affected system. A
community string is a password that is applied to a device to restrict both
read-only and read-write access to the SNMP data on the device. These
community strings, as with all passwords, should be chosen carefully to
ensure that they are not trivial. They should also be changed at regular
intervals and in accordance with network security policies. For example,
the strings should be changed when a network administrator changes roles or
leaves the organization.
To exploit this vulnerability via SNMP Version 3, the attacker must have
user credentials for the affected system.
Workarounds
o As a workaround, administrators may reconfigure the SNMP ACL name to 31
characters or less.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
At the time of publication, the release information in the following table
(s) was accurate. See the Details section in the bug ID(s) at the top of
this advisory for the most complete and current information.
The left column lists Cisco software releases, and the right column
indicates whether a release was affected by the vulnerability described in
this advisory and which release included the fix for this vulnerability.
Nexus 3000 Series Switches, Nexus 3500 Platform Switches and Nexus 9000
Series Switches in Standalone NX-OS Mode: CSCvo17439
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
Earlier than 7.0(3) Not vulnerable
7.0(3)I4 ^1 7.0(3)I7(6) ^1
7.0(3)I7 7.0(3)I7(6)
9.2 9.2(3)
9.3 Not vulnerable
1. The 7.0(3)I4 code train is not applicable to Nexus 3500 Platform
Switches.
Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:
CSCvo17439
Cisco NX-OS Software Release First Fixed Release for This Vulnerability
7.0(3)F 9.2(3)
9.2 9.2(3)
9.3 Not vulnerable
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco
Nexus Switch, administrators can refer to the following Recommended
Releases documents. If a security advisory recommends a later release,
Cisco recommends following the advisory guidance.
Cisco MDS Series Switches
Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches
For help determining the best Cisco NX-OS Software release for Cisco UCS,
refer to the Recommended Releases documents in the release notes for the
device.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o This vulnerability was found during resolution of a Cisco TAC support case.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190828-nxos-snmp-bypass
Revision History
o +---------+--------------------------+---------+--------+-----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+-----------------+
| 1.0 | Initial public release. | - | Final | 2019-August-28 |
+---------+--------------------------+---------+--------+-----------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXZ57QGaOgq3Tt24GAQiO+A//RS36yNAH3e7MT31IaEMZvpMEc/r5AGZ/
0ZmsAakWxJ7WI2ER9fJPojwzgOSz7Rz4a7tGrZ20zQP69M58dGD/eqbc66N6Hds0
nd9s8jQQPO00DjBoRe8GJcZoAXAEOMX8IHmMDNCVqwtdRhwW1x1uaXSXJOII6yFX
//lBuFBhhlK4Q3+GYCeFU+i/7Gd5PbxI+mhjBRit1zp/lmnKPWca9r01AZz/y9ka
gFv9Pph1OGZVP7mPmCms9dQEbUj+jEbHiz6hiehp5seMB/U51JoG+OzdpPbuD5L1
l+G8zyah5u0omoGPQUxGyj0wk2YRWY2YEo5R2FZd60UgGLIeieyv03pGcBEPZl5B
IpossZQtdocrzVOtSXgKQoRVTgZSSsUYvvqreS7rIa50STvabmNzoA1fxjATJsdY
RfFoW5oWuVyTzBWjDUZHdcGR1QEsFnYijPbmQ1jJYi7h//9AtcX0P9Idd+84MALY
WRYJL4oDslezWoLOzQmqz9t+qgCvvgOQb7oRFmoEveqIJd3eAyg6uDBLk9gMf7FX
vcEHIYfqzr7ASB3bd4C5JxIqYk6AFYqmRRF96lY0OydROY/tcXSq2VJPWpqXQYr/
+siohebXIAlp03Ph5msb4UsUKC3RVmNQXVK83knZFRHrRDg4Ey2ypg2PRKulwvKl
e4+DdDphnt0=
=hyD4
-----END PGP SIGNATURE-----