-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3276
                   Cisco FXOS and NX-OS security updates
                              29 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco NX-OS
                   Cisco FXOS
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-1969 CVE-2019-1968 CVE-2019-1967
                   CVE-2019-1965 CVE-2019-1964 CVE-2019-1963
                   CVE-2019-1962  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-fxnxos-snmp-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-fsip-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ipv6-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-api-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-ntp-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-memleak-dos
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nxos-snmp-bypass

Comment: This bulletin contains seven (7) Cisco Systems security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco FXOS and NX-OS Software Authenticated Simple Network Management Protocol
Denial of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-20190828-fxnxos-snmp-dos
First Published: 2019 August 28 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvn13270 CSCvn23529 CSCvn23531 CSCvn23532CSCvn23534 CSCvn23535 CSCvn23536 CSCvn23537CSCvn23538

CVE-2019-1963    

CVSS Score:
7.7  AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Simple Network Management Protocol (SNMP) input
    packet processor of Cisco FXOS Software and Cisco NX-OS Software could
    allow an authenticated, remote attacker to cause the SNMP application on an
    affected device to restart unexpectedly.

    The vulnerability is due to improper validation of Abstract Syntax Notation
    One (ASN.1)-encoded variables in SNMP packets. An attacker could exploit
    this vulnerability by sending a crafted SNMP packet to the SNMP daemon on
    the affected device. A successful exploit could allow the attacker to cause
    the SNMP application to restart multiple times, leading to a system-level
    restart and a denial of service (DoS) condition.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-fxnxos-snmp-dos

    This advisory is part of the August 2019 Cisco FXOS and NX-OS Software
    Security Advisory Bundled Publication, which includes five Cisco Security
    Advisories that describe five vulnerabilities. For a complete list of the
    advisories and links to them, see Cisco Event Response: August 2019 Cisco
    FXOS and NX-OS Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they have SNMP
    configured and they are running a vulnerable release of Cisco FXOS or NX-OS
    Software:

       Firepower 4100 Series
       Firepower 9300 Security Appliances
       MDS 9000 Series Multilayer Switches
       Nexus 1000 Virtual Edge for VMware vSphere
       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 3000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Switching Platform
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects
       UCS 6400 Series Fabric Interconnects

    For information about which Cisco FXOS and NX-OS Software releases are
    vulnerable, see the Fixed Software section of this advisory.

    Determine the Status of SNMP

    The following subsections describe how to determine whether SNMP is running
    on a device.

    Determine the Status of SNMP for Cisco FXOS Software

    Administrators can determine whether SNMP is running on a device by using
    the show configuration | include snmp command in the device CLI. If the
    command returns output, SNMP is configured.

        fxos-switch# show configuration | include snmp
             enable snmp

    Determine the Status of SNMP for Cisco NX-OS Software

    Administrators can determine whether SNMP is running on a device by using
    the show running-config snmp command in the device CLI. If the command
    returns output, SNMP is configured.

        nxos-switch# show running-config snmp
        .
        .
        .
        snmp-server user admin network-admin auth md5 ***** priv ***** localizedkey
        snmp-server community community-string group network-admin

    Determine the Status of SNMP for Cisco UCS

    Administrators can determine whether SNMP is running on a device by using
    the show configuration | grep snmp command in the device CLI. If the
    command returns output, SNMP is configured.

        # show configuration | grep snmp
             enable snmp

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect Cisco Firepower
    2100 Series.

Details

  o SNMP is an application-layer protocol that provides a standardized
    framework and a common language for monitoring and managing devices in a
    network. It defines a message format for communication between SNMP
    managers and agents.

    An SNMP agent gathers data from the SNMP MIB, which is the repository of
    information about device parameters and network data. It also responds to
    requests from an SNMP manager to get or set data. An SNMP agent contains
    MIB variables for which values can be requested or changed by an SNMP
    manager by using get or set operations.

    This vulnerability affects all versions of SNMP supported on the
    device-versions 1, 2c, and 3. An attacker could exploit this vulnerability
    by sending a specific SNMP packet to an affected device using IPv4 or IPv6.
    Only traffic directed to an affected system can be used to exploit this
    vulnerability. This vulnerability is not exploitable if the device is
    configured only to send SNMP traps.

    To exploit this vulnerability by using SNMP Version 2c or earlier, the
    attacker must know the SNMP read-only community string for the affected
    system. A community string is a password that is applied to a device to
    restrict both read-only and read-write access to the SNMP data on the
    device. These community strings, as with all passwords, should be chosen
    carefully to ensure that they are not trivial. They should also be changed
    at regular intervals and in accordance with network security policies. For
    example, the strings should be changed when a network administrator changes
    roles or leaves the organization.

    To exploit this vulnerability by using SNMP Version 3 (SNMPv3), the
    attacker must have SNMPv3 credentials for the affected system.

Workarounds

  o There are no workarounds that address this vulnerability.

    Mitigation for Cisco NX-OS Software

    As a mitigation for the vulnerability that is described in this advisory,
    administrators of systems that are running Cisco NX-OS Software can
    configure an access control list (ACL) on an SNMP community to filter
    incoming SNMP requests to ensure that SNMP polling is performed only by
    trusted SNMP clients. In the following example, the device will accept
    incoming SNMPv2c requests only from a single trusted host, 192.168.1.2:

        switch# show access-list acl_for_snmp
        IPV4 ACL acl_for_snmp
          10 permit udp 192.168.1.2/32 192.168.1.3/32 eq snmp

    To implement the preceding ACL, administrators can add it to the
    snmp-server community configuration command:

        switch# show running-config snmp
        !Command: show running-config snmp
        snmp-server community mycompany use-acl acl_for_snmp

    For additional information about configuring ACLs to filter incoming SNMP
    requests, see Filtering SNMP Requests in the Cisco NX-OS Configuration
    Guide .

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license: https://www.cisco.com/c/en/us/products/
    end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To help ensure a complete upgrade
    solution, customers should consider that this advisory is part of a bundled
    publication. The following page provides a complete list of bundle
    advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software
    Security Advisory Bundled Publication .

    In the following table(s), the left column lists releases of Cisco FXOS
    Software or Cisco NX-OS Software. The center column indicates whether a
    release is affected by the vulnerability described in this advisory and the
    first release that includes the fix for this vulnerability. The right
    column indicates whether a release is affected by all the vulnerabilities
    described in this bundle and which release includes fixes for those
    vulnerabilities.

    Firepower 4100 Series and Firepower 9300 Security Appliances: CSCvn23536

    Cisco FXOS    First Fixed Release   First Fixed Release for All
    Software      for This              Vulnerabilities Described in the Bundle
    Release       Vulnerability         of Advisories
    Earlier than  2.2.2.91              2.2.2.91
    2.2
    2.2           2.2.2.91              2.2.2.91
    2.3           2.3.1.130             2.3.1.130
    2.4           2.4.1.222             2.4.1.222
    2.6           Not vulnerable        Not vulnerable

    MDS 9000 Series Multilayer Switches: CSCvn23531

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    5.2            6.2(29) ^1           6.2(29) ^1
    6.2            6.2(29) ^1           6.2(29) ^1
    7.3            8.3(2)               8.4(1)
    8.1            8.3(2)               8.4(1)
    8.2            8.3(2)               8.4(1)
    8.3            8.3(2)               8.4(1)
    8.4            Not vulnerable       Not vulnerable

    1. This release is scheduled for September 2019.

    Nexus 1000 Virtual Edge for VMware vSphere: CSCvn23532

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    5.2            5.2(1)SV5(1.2)       5.2(1)SV5(1.2)

    Nexus 1000V Switch for Microsoft Hyper-V: CSCvn23537

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   No fix at this time  No fix at this time
    5.2
    5.2            No fix at this time  No fix at this time

    Nexus 1000V Switch for VMware vSphere:  CSCvn23532

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   5.2(1)SV3(4.1a)      5.2(1)SV3(4.1a)
    5.2
    5.2            5.2(1)SV3(4.1a)      5.2(1)SV3(4.1a)

    Nexus 3000 Series Switches, Nexus 3500 Platform Switches, and Nexus 9000
    Series Switches in Standalone NX-OS Mode: CSCvn13270

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   Not vulnerable       7.0(3)I4(9) ^2
    7.0(3)I4 ^2
    7.0(3)I4 ^2    7.0(3)I4(9) ^2       7.0(3)I4(9) ^2
    7.0(3)I7       7.0(3)I7(6)          7.0(3)I7(6)
    9.2            9.2(3)               9.2(3)
    9.3            Not vulnerable       Not vulnerable

    2. The 7.0(3)I4 code train is not applicable to Nexus 3500 Platform
    Switches.

    Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform:  
    CSCvn13270

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    7.0(3)F        9.2(3)               9.2(3)
    9.2            9.2(3)               9.2(3)
    9.3            Not vulnerable       Not vulnerable

    Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches: 
    CSCvn23534

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   7.1(5)N1(1b)         7.1(5)N1(1b)
    7.1
    7.1            7.1(5)N1(1b)         7.1(5)N1(1b)
    7.3            7.3(5)N1(1)          7.3(5)N1(1)

    Nexus 7000 and 7700 Series Switches: CSCvn23531

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   6.2(22)              6.2(22)
    6.2
    6.2            6.2(22)              6.2(22)
    7.2            7.3(4)D1(1)          7.3(4)D1(1)
    7.3            7.3(4)D1(1)          7.3(4)D1(1)
    8.0            8.2(3)               8.2(3)
    8.1            8.2(3)               8.2(3)
    8.2            8.2(3)               8.2(3)
    8.3            8.3(2)               8.4(1)
    8.4            Not vulnerable       Not vulnerable

    Nexus 9000 Series Fabric Switches in ACI Mode: CSCvn23529

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   13.2(7k)             13.2(7k)
    13.1
    13.1           13.2(7k)             13.2(7k)
    13.2           13.2(7k)             13.2(7k)
    14.0           14.0(2c)             14.0(2c)
    14.1           14.1(1i)             14.1(1i)

    UCS 6200, 6300, and 6400 Series Fabric Interconnects: CSCvn23535 and 
    CSCvn23538

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   No fix at this time  No fix at this time
    3.2
    3.2            No fix at this time  No fix at this time
    4.0            No fix at this time  No fix at this time

    Additional Resources

    For help determining the best Cisco NX-OS Software release for a Cisco
    Nexus Switch, administrators can refer to the following Recommended
    Releases documents. If a security advisory recommends a later release,
    Cisco recommends following the advisory guidance.

        Cisco MDS Series Switches
        Cisco Nexus 1000V for VMware Switch
        Cisco Nexus 3000 Series and 3500 Series Switches
        Cisco Nexus 5000 Series Switches
        Cisco Nexus 5500 Platform Switches
        Cisco Nexus 6000 Series Switches
        Cisco Nexus 7000 Series Switches
        Cisco Nexus 9000 Series Switches
        Cisco Nexus 9000 Series ACI-Mode Switches

    For help determining the best Cisco NX-OS Software release for Cisco UCS,
    refer to the Recommended Releases documents in the release notes for the
    device.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Related to This Advisory

  o Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software Security
    Advisory Bundled Publication
    ERP-72243

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-fxnxos-snmp-dos

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-28  |
    +---------+--------------------------+---------+--------+-----------------+

- --------------------------------------------------------------------------------

Cisco NX-OS Software Cisco Fabric Services over IP Denial of Service
Vulnerability

Priority:        High
Advisory ID:     cisco-sa-20190828-nxos-fsip-dos
First Published: 2019 August 28 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available

CVE-2019-1962    

CWE-20

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Cisco Fabric Services component of Cisco NX-OS
    Software could allow an unauthenticated, remote attacker to cause process
    crashes, which can result in a denial of service (DoS) condition on an
    affected system.

    The vulnerability is due to insufficient validation of TCP packets when
    processed by the Cisco Fabric Services over IP (CFSoIP) feature. An
    attacker could exploit this vulnerability by sending a malicious Cisco
    Fabric Services TCP packet to an affected device. A successful exploit
    could allow the attacker to cause process crashes, resulting in a device
    reload and a DoS condition.

    Note: There are three distribution methods that can be configured for Cisco
    Fabric Services. This vulnerability affects only distribution method
    CFSoIP, which is disabled by default. See the Details section for more
    information.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-fsip-dos

    This advisory is part of the August 2019 Cisco FXOS and NX-OS Software
    Security Advisory Bundled Publication, which includes five Cisco Security
    Advisories that describe five vulnerabilities. For a complete list of the
    advisories and links to them, see Cisco Event Response: August 2019 Cisco
    FXOS and NX-OS Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are running
    a vulnerable release of Cisco NX-OS Software with CFSoIP enabled:

       MDS 9000 Series Multilayer Switches
       Nexus 3000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Switching Platform
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects

    Administrators can display the distribution status of Cisco Fabric Services
    for a device by using the show cfs status command in the device CLI, as
    shown in the following example:

        switch# show cfs status
        Distribution : Enabled
        Distribution over IP : Disabled
        IPv4 multicast address : 239.255.70.83
        IPv6 multicast address : ff15::efff:4653
        Distribution over Ethernet : Disabled

    In the preceding example, the Enabled value in the Distribution field of
    the command output indicates that Cisco Fabric Services is enabled for the
    device and the device is configured to use the default Cisco Fabric
    Services distribution type, which is CFSoFC. The Disabled value in the
    Distribution over IP field and the Distribution over Ethernet field
    indicates that the device is not configured to use the CFSoIP and CFSoE
    distribution types.

    For information about which Cisco NX-OS Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 1000 Virtual Edge for VMware vSphere
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode
       UCS 6400 Series Fabric Interconnects

Details

  o Cisco Fabric Services provides a common infrastructure for distributing and
    synchronizing configuration data between Cisco devices that are on the same
    network and with virtual port channels (vPCs). This includes configuration
    data for applications and features that are compatible with and enabled to
    use Cisco Fabric Services-for example, Distributed Device Alias Services,
    Network Time Protocol (NTP), and user and administrator roles. To
    distribute and synchronize data, Cisco Fabric Services can be configured to
    use any of the following distribution types:

    Cisco Fabric Services over Fiber Channel (CFSoFC) - Distributes data over a
    Fiber Channel (FC), such as a virtual storage area network (VSAN). CFSoFC
    distribution is enabled by default.

    Cisco Fabric Services over Ethernet (CFSoE) - Distributes data over an
    Ethernet network. For vPC support, Cisco Fabric Services must be configured
    to use this distribution type. CFSoE distribution is disabled by default.

    Cisco Fabric Services over IP (CFSoIP) - Distributes data over an IPv4 or
    IPv6 network. CFSoIP distribution is disabled by default.

    Note: The vulnerability described in this advisory is due to insufficient
    input validation that could occur when the affected software processes
    CFSoIP TCP packets received during distribution and synchronization
    operations. An attack is possible from any node that has IP network
    connectivity to the management interface of an affected device and cannot
    occur from the data plane.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To help ensure a complete upgrade
    solution, customers should consider that this advisory is part of a bundled
    publication. The following page provides a complete list of bundle
    advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software
    Security Advisory Bundled Publication .

    In the following table(s), the left column lists releases of Cisco FXOS
    Software or Cisco NX-OS Software. The center column indicates whether a
    release is affected by the vulnerability described in this advisory and the
    first release that includes the fix for this vulnerability. The right
    column indicates whether a release is affected by all the vulnerabilities
    described in this bundle and which release includes fixes for those
    vulnerabilities.

    MDS 9000 Series Multilayer Switches: CSCva64492

    Cisco NX-OS First Fixed      First Fixed Release for All
    Software    Release for This Vulnerabilities Described in
    Release     Vulnerability    the Bundle of Advisories
    5.2         6.2(25)          6.2(29) ^1
    6.2         6.2(25)          6.2(29) ^1
    7.3         8.1(1)           8.4(1)
    8.1         Not vulnerable   8.4(1)
    8.2         Not vulnerable   8.4(1)
    8.3         Not vulnerable   8.4(1)
    8.4         Not vulnerable   Not vulnerable

    1. This release is scheduled for September 2019.

    Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
    NX-OS Mode: CSCvj59058

    Cisco NX-OS First Fixed      First Fixed Release for All
    Software    Release for This Vulnerabilities Described in
    Release     Vulnerability    the Bundle of Advisories
    Earlier
    than 7.0(3) 7.0(3)I4(9)      7.0(3)I4(9)
    I4
    7.0(3)I4    7.0(3)I4(9)      7.0(3)I4(9)
    7.0(3)I7    7.0(3)I7(4)      7.0(3)I7(6)
    9.2         Not vulnerable   9.2(3)
    9.3         Not vulnerable   Not vulnerable

    Nexus 3500 Platform Switches: CSCvk70631

    Cisco NX-OS First Fixed      First Fixed Release for All
    Software    Release for This Vulnerabilities Described in
    Release     Vulnerability    the Bundle of Advisories
    Earlier
    than 6.0(2) 6.0(2)A8(10)     6.0(2)A8(11)
    A8
    6.0(2)A8    6.0(2)A8(10)     6.0(2)A8(11)
    7.0(3)I7    7.0(3)I7(4)      7.0(3)I7(6)
    9.2         Not vulnerable   9.2(3)
    9.3         Not vulnerable   Not vulnerable

    Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: 
    CSCvk70625

    Cisco NX-OS First Fixed      First Fixed Release for All
    Software    Release for This Vulnerabilities Described in
    Release     Vulnerability    the Bundle of Advisories
    7.0(3)      7.0(3)F3(3c) ^1  9.2(3)
    9.2         Not vulnerable   9.2(3)
    9.3         Not vulnerable   Not vulnerable

    ^ 1 This vulnerability is not fixed in 7.0(3)F3(4) but is fixed in 7.0(3)F3
    (5).

    Nexus 5500, 5600, and 6000 Series Switches: CSCvk70632

    Cisco NX-OS First Fixed      First Fixed Release for All
    Software    Release for This Vulnerabilities Described in
    Release     Vulnerability    the Bundle of Advisories
    Earlier     7.1(5)N1(1b)     7.1(5)N1(1b)
    than 7.1
    7.1         7.1(5)N1(1b)     7.1(5)N1(1b)
    7.3         7.3(4)N1(1)      7.3(5)N1(1)

    Nexus 7000 and 7700 Series Switches: CSCva64492

    Cisco NX-OS First Fixed      First Fixed Release for All
    Software    Release for This Vulnerabilities Described in
    Release     Vulnerability    the Bundle of Advisories
    Earlier     6.2(22)          6.2(22)
    than 6.2
    6.2         6.2(22)          6.2(22)
    7.2         7.3(3)D1(1)      7.3(4)D1(1)
    7.3         7.3(3)D1(1)      7.3(4)D1(1)
    8.0         Not vulnerable   8.2(3)
    8.1         Not vulnerable   8.2(3)
    8.2         Not vulnerable   8.2(3)
    8.3         Not vulnerable   8.4(1)
    8.4         Not vulnerable   Not vulnerable

    UCS 6200 and 6300 Series Fabric Interconnects: CSCvk70633

    Cisco NX-OS First Fixed      First Fixed Release for All
    Software    Release for This Vulnerabilities Described in
    Release     Vulnerability    the Bundle of Advisories
    Earlier     3.2(3l) ^1       No fix at this time
    than 3.2
    3.2         3.2(3l) ^1       No fix at this time
    4.0         4.0(2d)          No fix at this time

    ^ 1 This release is scheduled for September 2019.

    Additional Resources

    For help determining the best Cisco NX-OS Software release for a Cisco
    Nexus Switch, administrators can refer to the following Recommended
    Releases documents. If a security advisory recommends a later release,
    Cisco recommends following the advisory guidance.

        Cisco MDS Series Switches
        Cisco Nexus 1000V for VMware Switch
        Cisco Nexus 3000 Series and 3500 Series Switches
        Cisco Nexus 5000 Series Switches
        Cisco Nexus 5500 Platform Switches
        Cisco Nexus 6000 Series Switches
        Cisco Nexus 7000 Series Switches
        Cisco Nexus 9000 Series Switches
        Cisco Nexus 9000 Series ACI-Mode Switches

    For help determining the best Cisco NX-OS Software release for Cisco UCS,
    refer to the Recommended Releases documents in the release notes for the
    device.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Related to This Advisory

  o ERP-72243

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-fsip-dos

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-28  |
    +---------+--------------------------+---------+--------+-----------------+

- --------------------------------------------------------------------------------

Cisco NX-OS Software IPv6 Denial of Service Vulnerability

Priority:        High
Advisory ID:     cisco-sa-20190828-nxos-ipv6-dos
First Published: 2019 August 28 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvn46719

CVE-2019-1964    

CWE-20

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the IPv6 traffic processing of Cisco NX-OS Software
    could allow an unauthenticated, remote attacker to cause an unexpected
    restart of the netstack process on an affected device.

    The vulnerability is due to improper validation of IPv6 traffic sent
    through an affected device. An attacker could exploit this vulnerability by
    sending a malformed IPv6 packet through an affected device. A successful
    exploit could allow the attacker to cause a denial of service (DoS)
    condition while the netstack process restarts. A sustained attack could
    lead to a reboot of the device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-ipv6-dos

    This advisory is part of the August 2019 Cisco FXOS and NX-OS Software
    Security Advisory Bundled Publication, which includes five Cisco Security
    Advisories that describe five vulnerabilities. For a complete list of the
    advisories and links to them, see Cisco Event Response: August 2019 Cisco
    FXOS and NX-OS Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are running
    a vulnerable release of Cisco NX-OS Software:

       Nexus 7000 Series Switches
       Nexus 7700 Series Switches

    For information about which Cisco NX-OS Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       MDS 9000 Series Multilayer Switches
       Nexus 1000 Virtual Edge for VMware vSphere
       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 3000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Switching Platform
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects
       UCS 6400 Series Fabric Interconnects

Indicators of Compromise

  o Exploitation of this vulnerability could cause an affected device to
    generate a core file of the /isan/bin/routing-sw/netstack process. To view
    device core files, administrators can use the show core command in the
    NX-OS CLI. To determine whether the device has been compromised by
    exploitation of this vulnerability, administrators are advised to contact
    the Cisco Technical Assistance Center (TAC) to review the core files.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To help ensure a complete upgrade
    solution, customers should consider that this advisory is part of a bundled
    publication. The following page provides a complete list of bundle
    advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software
    Security Advisory Bundled Publication .

    In the following table(s), the left column lists releases of Cisco FXOS
    Software or Cisco NX-OS Software. The center column indicates whether a
    release is affected by the vulnerability described in this advisory and the
    first release that includes the fix for this vulnerability. The right
    column indicates whether a release is affected by all the vulnerabilities
    described in this bundle and which release includes fixes for those
    vulnerabilities.

    Nexus 7000 and 7700 Series Switches: CSCvn46719

    Cisco      First Fixed Release for This      First Fixed Release for All
    NX-OS      Vulnerability                     Vulnerabilities Described in
    Software                                     the Bundle of Advisories
    Release
    Earlier    Not vulnerable                    Not vulnerable
    than 8.1
    8.1        8.2(3)                            8.2(3)
    8.2        8.2(3)                            8.2(3)
    8.3        Maintenance Upgrade               8.4(1)
               n7000-s2-dk9.8.3.2.CSCvn46719.bin
    8.4        Not vulnerable                    Not vulnerable

    Additional Resources

    For help determining the best Cisco NX-OS Software release for a Cisco
    Nexus Switch, administrators can refer to the following Recommended
    Releases documents. If a security advisory recommends a later release,
    Cisco recommends following the advisory guidance.

        Cisco MDS Series Switches
        Cisco Nexus 1000V for VMware Switch
        Cisco Nexus 3000 Series and 3500 Series Switches
        Cisco Nexus 5000 Series Switches
        Cisco Nexus 5500 Platform Switches
        Cisco Nexus 6000 Series Switches
        Cisco Nexus 7000 Series Switches
        Cisco Nexus 9000 Series Switches
        Cisco Nexus 9000 Series ACI-Mode Switches

    For help determining the best Cisco NX-OS Software release for Cisco UCS,
    refer to the Recommended Releases documents in the release notes for the
    device.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

Related to This Advisory

  o ERP-72243

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-ipv6-dos

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-28  |
    +---------+--------------------------+---------+--------+-----------------+

- --------------------------------------------------------------------------------

Cisco NX-OS Software NX-API Denial of Service Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-20190828-nxos-api-dos
First Published: 2019 August 28 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvn26502CSCvn31273CSCvn57900

CVE-2019-1968    

CVSS Score:
5.3  AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:X

Summary

  o A vulnerability in the NX-API feature of Cisco NX-OS Software could allow
    an unauthenticated, remote attacker to cause an NX-API system process to
    unexpectedly restart.

    The vulnerability is due to incorrect validation of the HTTP header of a
    request that is sent to the NX-API. An attacker could exploit this
    vulnerability by sending a crafted HTTP request to the NX-API on an
    affected device. A successful exploit could allow the attacker to cause a
    denial of service (DoS) condition in the NX-API service; however, the NX-OS
    device itself would still be available and passing network traffic.

    Note: The NX-API feature is disabled by default.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-api-dos

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected the following Cisco
    products if they were running a vulnerable release of Cisco NX-OS Software
    and had the NX-API feature enabled:

       MDS 9000 Series Multilayer Switches
       Nexus 3000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Switching Platform

    For information about which Cisco NX-OS Software releases were vulnerable
    at the time of publication, see the Fixed Software section of this
    advisory. See the Details section in the bug ID(s) at the top of this
    advisory for the most complete and current information.

    This vulnerability affects only Cisco NX-OS devices that have the NX-API
    feature enabled. The NX-API feature is disabled by default. To determine
    whether an affected device is configured with the NX-API feature enabled,
    administrators can use the show feature | include nxapi command from the
    Cisco NX-OS CLI and verify that the feature is enabled. The following
    example shows the NX-API feature enabled on a device that is running Cisco
    NX-OS Software:

        nxos-switch# show feature | include nxapi
        nxapi                1        enabled

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       Nexus 1000 Virtual Edge for VMware vSphere
       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects
       UCS 6400 Series Fabric Interconnects

Details

  o To exploit this vulnerability, a remote attacker must send a crafted HTTP
    or HTTPS packet to external NX-API.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    MDS 9000 Series Multilayer Switches: CSCvn26502

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    5.2                            Not vulnerable
    6.2                            Not vulnerable
    7.3                            8.3(2)
    8.1                            8.3(2)
    8.2                            8.3(2)
    8.3                            8.3(2)
    8.4                            Not vulnerable

    Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
    NX-OS Mode: CSCvn31273

    Cisco NX-OS Software Release     First Fixed Release for This Vulnerability
    Earlier than 6.0(2)U4            Not vulnerable
    6.0(2)U4, 6.0(2)U5, and 6.0(2)U6 7.0(3)I4(9)
    6.1(2)I1                         Not vulnerable
    6.1(2)I2 and 6.1(2)I3            7.0(3)I4(9)
    7.0(3)I4                         7.0(3)I4(9)
    7.0(3)I7                         7.0(3)I7(6)
    9.2                              9.2(3)
    9.3                              Not vulnerable

    Nexus 3500 Platform Switches: CSCvn31273

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    Earlier than 6.0(2)A           Not vulnerable
    6.0(2)A8                       6.0(2)A8(11a)
    7.0(3)I7                       7.0(3)I7(6)
    9.2                            9.2(3)
    9.3                            Not vulnerable

    Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: 
    CSCvn31273

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    7.0(3)F                        9.2(3)
    9.2                            9.2(3)
    9.3                            Not vulnerable

    Nexus 5500 and 5600 Platform Switches and Nexus 6000 Series Switches: 
    CSCvn57900

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    Earlier than 7.1               Not vulnerable
    7.1                            7.3(5)N1(1)
    7.2                            7.3(5)N1(1)
    7.3                            7.3(5)N1(1)

    Nexus 7000 and 7700 Series Switches: CSCvn26502

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    Earlier than 6.2               Not vulnerable
    6.2                            Not vulnerable
    7.2                            7.3(4)D1(1)
    7.3                            7.3(4)D1(1)
    8.0                            8.2(3)
    8.1                            8.2(3)
    8.2                            8.2(3)
    8.3                            8.3(2)
    8.4                            Not vulnerable


    Additional Resources

    For help determining the best Cisco NX-OS Software release for a Cisco
    Nexus Switch, administrators can refer to the following Recommended
    Releases documents. If a security advisory recommends a later release,
    Cisco recommends following the advisory guidance.

        Cisco MDS Series Switches
        Cisco Nexus 1000V for VMware Switch
        Cisco Nexus 3000 Series and 3500 Series Switches
        Cisco Nexus 5000 Series Switches
        Cisco Nexus 5500 Platform Switches
        Cisco Nexus 6000 Series Switches
        Cisco Nexus 7000 Series Switches
        Cisco Nexus 9000 Series Switches
        Cisco Nexus 9000 Series ACI-Mode Switches

    For help determining the best Cisco NX-OS Software release for Cisco UCS,
    refer to the Recommended Releases documents in the release notes for the
    device.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during internal security testing.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-api-dos

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-28  |
    +---------+--------------------------+---------+--------+-----------------+

- --------------------------------------------------------------------------------

Cisco NX-OS Software Network Time Protocol Denial of Service Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-20190828-nxos-ntp-dos
First Published: 2019 August 28 16:00 GMT
Version 1.0:     Final
Workarounds:     Yes

Cisco Bug IDs:   CSCvm35740CSCvm51138CSCvm51139CSCvm51142

CVE-2019-1967    

CVSS Score:
8.6  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Network Time Protocol (NTP) feature of Cisco NX-OS
    Software could allow an unauthenticated, remote attacker to cause a denial
    of service (DoS) condition on an affected device.

    The vulnerability is due to excessive use of system resources when the
    affected device is logging a drop action for received MODE_PRIVATE (Mode 7)
    NTP packets. An attacker could exploit this vulnerability by flooding the
    device with a steady stream of Mode 7 NTP packets. A successful exploit
    could allow the attacker to cause high CPU and memory usage on the affected
    device, which could cause internal system processes to restart or cause the
    affected device to unexpectedly reload.

    Note: The NTP feature is enabled by default.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-ntp-dos

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected the following Cisco
    products if they were running a vulnerable release of Cisco NX-OS Software
    and had the NTP feature enabled:
       MDS 9000 Series Multilayer Switches
       Nexus 3000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Switching Platform

    For information about which Cisco NX-OS Software releases were vulnerable
    at the time of publication, see the Fixed Software section of this
    advisory. See the Details section in the bug ID(s) at the top of this
    advisory for the most complete and current information.

    The NTP feature is enabled by default. Administrators can use the show
    running-config | include "feature ntp" command from the Cisco NX-OS CLI to
    verify if the NTP feature has been manually disabled. If the command
    returns empty output, the NTP feature is enabled and the device is
    vulnerable. If the command returns the following output, the NTP feature is
    disabled and the device is not vulnerable:

        nxos-switch# show running-config | include "feature ntp"
        no feature ntp

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       Nexus 1000 Virtual Edge for VMware vSphere
       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects
       UCS 6400 Series Fabric Interconnects

Indicators of Compromise

  o Exploitation of this vulnerability could cause the affected device to
    generate a constant stream of log messages similar to the following:

        USER-3-SYSTEM_MSG: NTP Receive dropping message: Received NTP private mode packet. Drop count: x  - ntpd

    Customers are advised to contact their support organization to review the
    log messages and determine whether the vulnerability has been exploited on
    the device.

Workarounds

  o Administrators can use the following configuration command on affected
    devices to reduce the logging level for daemons from the default value of 3
    to 2:

        logging level daemon 2

    This would eliminate device exposure to this issue but would cause the
    affected device to stop logging other syslog messages that might be useful
    to monitor device operations.

    Customers who are not using the NTP feature can disable it with the no
    feature ntp configuration command.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    MDS 9000 Series Multilayer Switches: CSCvm51139

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    5.2                            Not vulnerable
    6.2                            6.2(29) ^1
    7.3                            8.3(2)
    8.1                            8.3(2)
    8.2                            8.3(2)
    8.3                            8.3(2)
    8.4                            Not vulnerable

    1. This release is scheduled for September 2019.

    Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
    NX-OS Mode: CSCvm51138

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    Earlier than 6.0(2)U6          Not vulnerable
    6.0(2)U6                       7.0(3)I7(6)
    7.0(3)I                        7.0(3)I7(6)
    9.2                            9.2(2)
    9.3                            Not vulnerable

    Nexus 3500 Platform Switches: CSCvm51142

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    Earlier than 6.0(2)A6          Not vulnerable
    6.0(2)A8                       6.0(2)A8(11)
    7.0(3)I7                       7.0(3)I7(6)
    9.2                            9.2(2)
    9.3                            Not vulnerable

    Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: 
    CSCvm51138

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    7.0(3)F                        9.2(2)
    9.2                            9.2(2)
    9.3                            Not vulnerable

    Nexus 5500, 5600, and 6000 Series Switches: CSCvm35740

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    Earlier than 7.1(4)            Not vulnerable
    7.1(4)                         7.3(5)N1(1)
    7.1(5)                         7.3(5)N1(1)
    7.2                            7.3(5)N1(1)
    7.3                            7.3(5)N1(1)

    Nexus 7000 and 7700 Series Switches: CSCvm51139

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    Earlier than 6.2               Not vulnerable
    6.2                            7.3(3)D1(1)
    7.2                            7.3(3)D1(1)
    7.3                            7.3(3)D1(1)
    8.0                            8.2(3)
    8.1                            8.2(3)
    8.2                            8.2(3)
    8.3                            8.3(2)
    8.4                            Not vulnerable


    Additional Resources

    For help determining the best Cisco NX-OS Software release for a Cisco
    Nexus Switch, administrators can refer to the following Recommended
    Releases documents. If a security advisory recommends a later release,
    Cisco recommends following the advisory guidance.

        Cisco MDS Series Switches
        Cisco Nexus 1000V for VMware Switch
        Cisco Nexus 3000 Series and 3500 Series Switches
        Cisco Nexus 5000 Series Switches
        Cisco Nexus 5500 Platform Switches
        Cisco Nexus 6000 Series Switches
        Cisco Nexus 7000 Series Switches
        Cisco Nexus 9000 Series Switches
        Cisco Nexus 9000 Series ACI-Mode Switches

    For help determining the best Cisco NX-OS Software release for Cisco UCS,
    refer to the Recommended Releases documents in the release notes for the
    device.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-ntp-dos

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-28  |
    +---------+--------------------------+---------+--------+-----------------+

- --------------------------------------------------------------------------------

Cisco NX-OS Software Remote Management Memory Leak Denial of Service
Vulnerability

Priority:        High
Advisory ID:     cisco-sa-20190828-nxos-memleak-dos
First Published: 2019 August 28 16:00 GMT
Version 1.0:     Final
Workarounds:     No workarounds available

Cisco Bug IDs:   CSCvi15409CSCvn50393CSCvn50443CSCvn50446CSCvn52167

CVE-2019-1965    

CWE-400

CVSS Score:
7.7  AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  o A vulnerability in the Virtual Shell (VSH) session management for Cisco
    NX-OS Software could allow an authenticated, remote attacker to cause a VSH
    process to fail to delete upon termination. This can lead to a build-up of
    VSH processes that overtime can deplete system memory. When there is no
    system memory available, this can cause unexpected system behaviors and
    crashes.

    The vulnerability is due to the VSH process not being properly deleted when
    a remote management connection to the device is disconnected. An attacker
    could exploit this vulnerability by repeatedly performing a remote
    management connection to the device and terminating the connection in an
    unexpected manner. A successful exploit could allow the attacker to cause
    the VSH processes to fail to delete, which can lead to a system-wide denial
    of service (DoS) condition. The attacker must have valid user credentials
    to log in to the device using the remote management connection.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-memleak-dos

    This advisory is part of the August 2019 Cisco FXOS and NX-OS Software
    Security Advisory Bundled Publication, which includes five Cisco Security
    Advisories that describe five vulnerabilities. For a complete list of the
    advisories and links to them, see Cisco Event Response: August 2019 Cisco
    FXOS and NX-OS Software Security Advisory Bundled Publication .

Affected Products

  o Vulnerable Products

    This vulnerability affects the following Cisco products if they are running
    a vulnerable release of Cisco NX-OS Software:

       MDS 9000 Series Multilayer Switches
       Nexus 3000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Switching Platform
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects

    For information about which Cisco NX-OS Software releases are vulnerable,
    see the Fixed Software section of this advisory.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       Nexus 1000 Virtual Edge for VMware vSphere
       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode
       UCS 6400 Series Fabric Interconnects

Details

  o The most common example of a remote management protocol is SSH but any
    management protocol including S/FTP, S/COPY and others to the management
    interface could trigger this vulnerability.

Indicators of Compromise

  o Exploitation of this vulnerability can result in several different
    indicators of compromise on an affected device.

    1. Exploitation of this vulnerability can result in a system memory leak
    due to the build-up of zombie VSH processes that were not terminated
    correctly. Administrators can view the process list using the show process 
    NX-OS CLI command, as in the following example:

        # show processes
        PID    State  PC        Start_cnt    TTY   Process
        -----  -----  --------  -----------  ----  -------------
        1574      S   f537a3c            1     - vsh
        2063      S   f537a3c            1     - vsh
        .
        .
        .
        4308       S   f537a3c            1     - vsh
        4690       S   f537a3c            1     - vsh
        4733       S   f537a3c            1     - vsh
        5081       S   f537a3c            1     - vsh
        5949       S   f537a3c            1     - vsh
        6118       S   f537a3c            1     - vsh
        6723       S   f537a3c            1     - vsh
        7315       S   f537a3c            1     - vsh
        9841       S   f537a3c            1     - vsh
        12866      S   f537a3c            1     - vsh
        13465      S   f537a3c            1     - vsh
        14836      S   f537a3c            1     - vsh
        15568      S   f537a3c            1     - vsh
        18289      S   f537a3c            1     - vsh
        18580      S   f537a3c            1     - vsh
        18601      S   f537a3c            1     - vsh
        19254      S   f537a3c            1     - vsh
        19782      S   f537a3c            1     - vsh
        20367      S   f537a3c            1     - vsh
        20517      S   f537a3c            1     - vsh
        20931      S   f537a3c            1     - vsh
        21753      S   f537a3c            1     - vsh
        22728      S   f537a3c            1     - vsh
        23544      S   f537a3c            1     - vsh
        23947      S   f537a3c            1     - vsh
        24825      S   f537a3c            1     - vsh
        25139      S   f537a3c            1     - vsh
        25862      S   f537a3c            1     - vsh
        26172      S   f537a3c            1     - vsh
        26334      S   f537a3c            1     - vsh
        26691      S   f537a3c            1     - vsh
        27303      S   f537a3c            1     - vsh
        28750      S   f537a3c            1     - vsh

    2. Exploitation of this vulnerability can result in the following error
    message when a user has a remote connection on the device:

        Error: Too many open files in system

    3. Exploitation of this vulnerability could cause an affected device to
    reload and generate a core file. Because the core file is the end result of
    the system memory leak, the actual process to crash can be different each
    time. To view the device core files, administrators can use the show core 
    command in the NX-OS CLI. Contact the Cisco Technical Assistance Center
    (TAC) to review the core file and determine whether the device has been
    compromised by exploitation of this vulnerability.

Workarounds

  o There are no workarounds that address this vulnerability.

    Mitigation for Cisco NX-OS Software-Configure a VTY Access Class

    On some platforms that are running Cisco NX-OS Software, it is possible to
    limit exposure of an affected device by creating a vty access control list
    (ACL) on the device and configuring the ACL to permit only known, trusted
    devices to connect to the device via Telnet and Secure Shell (SSH).

    This mitigation is not available on some platforms that are running Cisco
    NX-OS and should be used only where applicable.

    There is no Cisco UCS mitigation that addresses this vulnerability.

    The ACL in this example is for IPv4. This vulnerability can also be
    exploited against IPv6 interfaces. If the NX-OS device is configured for
    IPv6, the same ACL should be configured for the IPv6 address range.

    The following example shows an ACL that permits access to vtys from the
    192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying
    access from all other addresses:

        ip access-list vtyacl
          10 permit tcp 192.168.1.0/24 172.16.1.2/32 line vty
          access-class vtyacl in

    For more information about restricting traffic to vtys, see the Cisco Nexus
    7000 Series NX-OS Security Configuration Guide . It is considered a best
    practice for an NX-OS device to have a vty ACL configured. Refer to the
    Cisco Guide to Securing Cisco NX-OS Software Devices for additional
    information about hardening Cisco NX-OS devices.

Fixed Software

  o Cisco has released free software updates that address the vulnerability
    described in this advisory. Customers may only install and expect support
    for software versions and feature sets for which they have purchased a
    license. By installing, downloading, accessing, or otherwise using such
    software upgrades, customers agree to follow the terms of the Cisco
    software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Fixed Releases

    Customers are advised to upgrade to an appropriate release as indicated in
    the applicable table in this section. To help ensure a complete upgrade
    solution, customers should consider that this advisory is part of a bundled
    publication. The following page provides a complete list of bundle
    advisories: Cisco Event Response: August 2019 Cisco FXOS and NX-OS Software
    Security Advisory Bundled Publication .

    In the following table(s), the left column lists releases of Cisco FXOS
    Software or Cisco NX-OS Software. The center column indicates whether a
    release is affected by the vulnerability described in this advisory and the
    first release that includes the fix for this vulnerability. The right
    column indicates whether a release is affected by all the vulnerabilities
    described in this bundle and which release includes fixes for those
    vulnerabilities.

    MDS 9000 Series Multilayer Switches: CSCvn50393

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    5.2            6.2(27)              6.2(29) ^1
    6.2            6.2(27)              6.2(29) ^1
    7.3            8.4(1)               8.4(1)
    8.1            8.4(1)               8.4(1)
    8.2            8.4(1)               8.4(1)
    8.3            8.4(1)               8.4(1)
    8.4            Not vulnerable       Not vulnerable

    1. This release is scheduled for September 2019.

    Nexus 3000 Series Switches and Nexus 9000 Series Switches in Standalone
    NX-OS Mode: CSCvi15409

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   7.0(3)I4(9)          7.0(3)I4(9)
    7.0(3)I4
    7.0(3)I4       7.0(3)I4(9)          7.0(3)I4(9)
    7.0(3)I7       7.0(3)I7(4)          7.0(3)I7(6)
    9.2            Not vulnerable       9.2(3)
    9.3            Not vulnerable       Not vulnerable

    Nexus 3500 Platform Switches : CSCvi15409

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    6.0(2)A        6.0(2)A8(11)         6.0(2)A8(11)
    7.0(3)I7       7.0(3)I7(4)          7.0(3)I7(6)
    9.2            Not vulnerable       9.2(3)
    9.3            Not vulnerable       Not vulnerable

    Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: 
    CSCvi15409

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    7.0(3)         9.2(1)               9.2(3)
    9.2            Not vulnerable       9.2(3)
    9.4            Not vulnerable       Not vulnerable

    Nexus 5500, 5600, and 6000 Series Switches: CSCvn50446

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   7.1(5)N1(1b)         7.1(5)N1(1b)
    7.1
    7.1            7.1(5)N1(1b)         7.1(5)N1(1b)
    7.3            7.3(5)N1(1)          7.3(5)N1(1)

    Nexus 7000 and 7700 Series Switches: CSCvn50443

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   6.2(22)              6.2(22)
    6.2
    6.2            6.2(22)              6.2(22)
    7.2            7.3(4)D1(1)          7.3(4)D1(1)
    7.3            7.3(4)D1(1)          7.3(4)D1(1)
    8.0            8.2(3)               8.2(3)
    8.1            8.2(3)               8.2(3)
    8.2            8.2(3)               8.2(3)
    8.3            8.4(1)               8.4(1)
    8.4            Not vulnerable       Not vulnerable

    UCS 6200 and 6300 Series Fabric Interconnects: CSCvn52167

    Cisco NX-OS    First Fixed Release  First Fixed Release for All
    Software       for This             Vulnerabilities Described in the Bundle
    Release        Vulnerability        of Advisories
    Earlier than   3.2(3k)              No fix at this time
    3.2
    3.2            3.2(3k)              No fix at this time
    4.0            4.0(2e)              No fix at this time

    Additional Resources

    For help determining the best Cisco NX-OS Software release for a Cisco
    Nexus Switch, administrators can refer to the following Recommended
    Releases documents. If a security advisory recommends a later release,
    Cisco recommends following the advisory guidance.

        Cisco MDS Series Switches
        Cisco Nexus 1000V for VMware Switch
        Cisco Nexus 3000 Series and 3500 Series Switches
        Cisco Nexus 5000 Series Switches
        Cisco Nexus 5500 Platform Switches
        Cisco Nexus 6000 Series Switches
        Cisco Nexus 7000 Series Switches
        Cisco Nexus 9000 Series Switches
        Cisco Nexus 9000 Series ACI-Mode Switches

    For help determining the best Cisco NX-OS Software release for Cisco UCS,
    refer to the Recommended Releases documents in the release notes for the
    device.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during the resolution of a Cisco TAC support
    case.

Related to This Advisory

  o ERP-72243

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-memleak-dos

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-28  |
    +---------+--------------------------+---------+--------+-----------------+

- --------------------------------------------------------------------------------

Cisco NX-OS Software SNMP Access Control List Configuration Name Bypass
Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-20190828-nxos-snmp-bypass
First Published: 2019 August 28 16:00 GMT
Version 1.0:     Final
Workarounds:     Yes

Cisco Bug IDs:   CSCvo17439

CVE-2019-1969    

CVSS Score:
5.8  AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:X/RL:X/RC:X

Summary

  o 
    A vulnerability in the implementation of the Simple Network Management
    Protocol (SNMP) Access Control List (ACL) feature of Cisco NX-OS Software
    could allow an unauthenticated, remote attacker to perform SNMP polling of
    an affected device, even if it is configured to deny SNMP traffic.

    The vulnerability is due to an incorrect length check when the configured
    ACL name is the maximum length, which is 32 ASCII characters. An attacker
    could exploit this vulnerability by performing SNMP polling of an affected
    device. A successful exploit could allow the attacker to perform SNMP
    polling that should have been denied. The attacker has no control of the
    configuration of the SNMP ACL name.

    Cisco has released software updates that address this vulnerability. There
    are workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-snmp-bypass

Affected Products

  o Vulnerable Products

    At the time of publication, this vulnerability affected the following Cisco
    products if they were running a vulnerable release of Cisco NX-OS Software
    with a specific SNMP ACL configured:

       Nexus 3000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Switching Platform

    For information about which Cisco NX-OS Software releases were vulnerable
    at the time of publication, see the Fixed Software section of this
    advisory. See the Details section in the bug ID(s) at the top of this
    advisory for the most complete and current information.

    Administrators can use the show running-config | include "snmp-server" 
    command to view the configured SNMP ACL for IPv4:

        nxos-switch# show running-config | include "snmp-server"
         snmp-server user <USER> use-ipv4acl <ACL NAME>

    If this command is present in the running configuration and the ACL name
    has the maximum length of 32 characters, the device should be considered
    vulnerable. This applies to IPv6 SNMP ACLs as well.

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

       Firepower 2100 Series
       Firepower 4100 Series
       Firepower 9300 Security Appliances
       MDS 9000 Series Multilayer Switches
       Nexus 1000 Virtual Edge for VMware vSphere
       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode
       UCS 6200 Series Fabric Interconnects
       UCS 6300 Series Fabric Interconnects
       UCS 6400 Series Fabric Interconnects

Details

  o To exploit this vulnerability via SNMP Version 2c or earlier, the attacker
    must know the SNMP read-only community string for the affected system. A
    community string is a password that is applied to a device to restrict both
    read-only and read-write access to the SNMP data on the device. These
    community strings, as with all passwords, should be chosen carefully to
    ensure that they are not trivial. They should also be changed at regular
    intervals and in accordance with network security policies. For example,
    the strings should be changed when a network administrator changes roles or
    leaves the organization.

    To exploit this vulnerability via SNMP Version 3, the attacker must have
    user credentials for the affected system.

Workarounds

  o As a workaround, administrators may reconfigure the SNMP ACL name to 31
    characters or less.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    At the time of publication, the release information in the following table
    (s) was accurate. See the Details section in the bug ID(s) at the top of
    this advisory for the most complete and current information.

    The left column lists Cisco software releases, and the right column
    indicates whether a release was affected by the vulnerability described in
    this advisory and which release included the fix for this vulnerability.

    Nexus 3000 Series Switches, Nexus 3500 Platform Switches and Nexus 9000
    Series Switches in Standalone NX-OS Mode: CSCvo17439

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    Earlier than 7.0(3)            Not vulnerable
    7.0(3)I4 ^1                    7.0(3)I7(6) ^1
    7.0(3)I7                       7.0(3)I7(6)
    9.2                            9.2(3)
    9.3                            Not vulnerable

    1. The 7.0(3)I4 code train is not applicable to Nexus 3500 Platform
    Switches.

    Nexus 3600 Platform Switches and Nexus 9500 R-Series Switching Platform: 
    CSCvo17439

    Cisco NX-OS Software Release   First Fixed Release for This Vulnerability
    7.0(3)F                        9.2(3)
    9.2                            9.2(3)
    9.3                            Not vulnerable


    Additional Resources

    For help determining the best Cisco NX-OS Software release for a Cisco
    Nexus Switch, administrators can refer to the following Recommended
    Releases documents. If a security advisory recommends a later release,
    Cisco recommends following the advisory guidance.

        Cisco MDS Series Switches
        Cisco Nexus 1000V for VMware Switch
        Cisco Nexus 3000 Series and 3500 Series Switches
        Cisco Nexus 5000 Series Switches
        Cisco Nexus 5500 Platform Switches
        Cisco Nexus 6000 Series Switches
        Cisco Nexus 7000 Series Switches
        Cisco Nexus 9000 Series Switches
        Cisco Nexus 9000 Series ACI-Mode Switches

    For help determining the best Cisco NX-OS Software release for Cisco UCS,
    refer to the Recommended Releases documents in the release notes for the
    device.

Exploitation and Public Announcements

  o The Cisco Product Security Incident Response Team (PSIRT) is not aware of
    any public announcements or malicious use of the vulnerability that is
    described in this advisory.

Source

  o This vulnerability was found during resolution of a Cisco TAC support case.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20190828-nxos-snmp-bypass

Revision History

  o +---------+--------------------------+---------+--------+-----------------+
    | Version |       Description        | Section | Status |      Date       |
    +---------+--------------------------+---------+--------+-----------------+
    | 1.0     | Initial public release.  | -       | Final  | 2019-August-28  |
    +---------+--------------------------+---------+--------+-----------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXWdMNGaOgq3Tt24GAQi1yBAA0Cr9dSBnsMqK3BBFPDxCS4AgHYUfFPiZ
kwUbVr/0EADWlS0kXF0Jo1O2dIbabCo9OXoC36FaUlKWrIUvrZ++mQoZThmoQgOV
3ZMtPtanY+JqtLk6cDWLvuCBvTuYdlcDiz2DQbNGhDQ+1+wLN5n6wUGRV9gPFOQq
IdRYrZGMzHF7hf+rYlQyydGuFiL3GnZvnEep6RmkLE4XjWWb6eBSHVMlU7guEYq9
xDcyZFXmXSz/LczpZzkQHcHFwuRGPGNGEUMA2FGlK2o3sAhsfNCTLVZ5fThJUsyw
QPZNUoBmYkVvSfLwEWWhA3vl1q4UW62JM5CiSS2AKvlVPeYYM0ew7xzsz/Qx2pXO
DLhUm3HdZptlFrTr7qmWb7bRghL0qI+y32vwPh3m5XM7sDB0UVunVq5pdvPSY2Gx
6Kg5Noz8CUc5qhdpt61tui8OR6P62xZTVMy5XJLmS6+V4ZaABj5t7kpVm9POXJCr
kZ5wAYHlXYvKwvBOdG5hhB9Ux++C50ft2Sj5XC6wG0y98m6ECDfHf379PoXq3KF3
dPygh76RMbKv49AiJHLtMwr/MNx4zCVR1OFBhOEE/j33XDzDdtQbxhZ4yQ5d6bBN
/Ika4b7qItLBHQzEFK1DpE4CWbzI9UJCs0ejlyIeFECTh1vnBH2G79gqJbJZloHS
1IDAUNj+jx8=
=FkBC
-----END PGP SIGNATURE-----