NX-OS-hit! Got Cisco Nexus and MDS 9000 switches? Then you've got patching to do, too
Oof. Crop of vulns include remote code execution as root
Cisco has published patches for a plethora of problems with its products, including vulns that could trigger denial-of-service conditions – and a sneaky one that "could allow an authenticated, remote attacker to execute arbitrary commands with root privileges".
root vuln exists in the NX-API feature of Cisco's NX-OS switch operating system and comes about because NX-API does not correctly validate user-inputted data.
According to Cisco: "An attacker could exploit this vulnerability by sending malicious HTTP or HTTPS packets to the management interface of an affected system that has the NX-API feature enabled." These packets are seemingly not authenticated, allowing a random person to gain full control over the target device.
NX-API is disabled by default. The vuln affects a large number of Cisco's Nexus (n)000 series switches as well as the MDS 9000 Series. Although the vuln has been allocated a CVE number (2019-1614), no further details of the exploit are publicly available at the time of writing. Patches are available from the Cisco website.
Another NX-OS vuln disclosed by Switchzilla today exists in the OS's network stack. It allows a miscreant to trigger a denial-of-service condition by crapflooding switches running NX-OS with "crafted TCP streams" in a "sustained" way. This causes the stack to "run out of available buffers", in Cisco's words, eventually overwhelming the switch and causing it to go and curl up in the corner for a while, gently rocking and murmuring to itself about load balancing.
NX-OS has also been patched for a second DoS trigger, this time one that exists in Cisco's implementation of LDAP in both NX-OS and Cisco FXOS. Improper parsing of LDAP packets causes a condition that could be exploited by an attacker who has the IP address "of an LDAP server configured on the targeted device". A successful exploit causes the target device to reboot, triggering a temporary DoS condition. Patches are available here.
Cisco's full set of patches issued this week for NX-OS and FXOS devices are all available on its website. Last year a slightly more critical set of NX-OS and FXOS were pushed out in June. Happy installing! ®