Cisco has patched a substantial-severity flaw that could lead to denial-of-assistance assaults on its Nexus switch lineup.
Cisco has patched a higher-severity flaw in its NX-OS application, the network running process utilized by Cisco’s Nexus-sequence Ethernet switches.
If exploited, the vulnerability could let an unauthenticated, remote attacker to bypass the enter accessibility manage lists (ACLs) configured on impacted Nexus switches – and start a denial of provider (DoS) attacks on the units.
“A prosperous exploit could lead to the influenced device to unexpectedly decapsulate the IP-in-IP packet and ahead the inner IP packet,” in accordance to Cisco’s stability advisory, printed on Monday. “This may well final result in IP packets bypassing enter ACLs configured on the influenced device or other protection boundaries described somewhere else in the network.”
The vulnerability (CVE-2020-10136) stems from the network stack of Cisco’s NX-OS software package. Particularly, it exists in a tunneling protocol referred to as IP-in-IP encapsulation. This protocol will allow IP packets to be encapsulated inside one more IP packet. The IP-in-IP protocol on the impacted program were being accepting IP-in-IP packets from any supply — to any location — with out express configuration in between the specified supply and spot IP addresses.
An attacker could exploit this challenge by sending a crafted IP-in-IP packet to an afflicted product. Cisco explained that under “certain disorders,” the crafted packets could lead to the community stack procedure to crash and restart numerous instances — in the end leading to DoS for affected equipment.
Specially impacted by the flaw are the Nexus 1000, 3000, 5500, 5600, 6000, 7000 and 9000 series, as properly as Cisco Unified Computing Method (UCS) 6200 and 06300 Series Cloth Interconnects (see a entire listing of affected models down below). People can also check irrespective of whether their variation of Cisco NX-OS is impacted using a examining instrument readily available on Cisco’s advisory.
Consumers can update to the most current patch, and, “if a machine has the ability to disable IP-in-IP in its configuration, it is suggested that you disable IP-in-IP in all interfaces that do not involve this feature,” in accordance to a Tuesday CERT Coordination Center detect. “Device makers are urged to disable IP-in-IP in their default configuration and to call for their customers to explicitly configure IP-in-IP as and when needed.”
Evidence-of-strategy (PoC) exploit code was produced for the bug by Yannay Livneh, who had also uncovered the flaw.
“You can use this code to validate if your gadget supports default IP-in-IP encapsulation from arbitrary resources to arbitrary destinations,” explained Livneh on GitHub. “The intended use of this code calls for at the very least two more equipment with distinct IP addresses for these two devices.”
Cisco explained it is “not informed of any general public announcements or malicious use of the vulnerability.” The vulnerability ranks 8.6 out of 10 on the CVSS scale, generating it higher severity.
The flaw comes a week after Cisco announced that attackers were being able to compromise its servers, right after exploiting two acknowledged, essential SaltStack vulnerabilities. The flaws exist in the open up-supply Salt management framework, which are utilised in Cisco network-tooling goods.
Anxious about the IoT security worries organizations encounter as much more linked units operate our enterprises, push our production strains, monitor and produce health care to patients, and a lot more? On June 3 at 2 p.m. ET, be part of renowned stability technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a Totally free webinar, Taming the Unmanaged and IoT Unit Tsunami. Get distinctive insights on how to handle this new and increasing attack surface. Be sure to sign-up below for this sponsored webinar.