Cisco has bundled 25 security advisories that describe 26 vulnerabilities in Cisco NX-OS switch and Firepower FXOS firewall software.
While the 26 alerts describe vulnerabilities that have a Security Impact Rating of “High,” most –23 – affect Cisco NX-OS software, and the remaining three involve both software packages.
The vulnerabilities span a number of problems that would let an attacker gain unauthorized access, gain elevated privileges, execute arbitrary commands, escape the restricted shell, bypass the system image verification checks or cause denial of service (DoS) conditions, Cisco said.
It has released software fixes for all the vulnerabilities, and none of the problems affect Cisco IOS software or Cisco IOS XE software, the company said.
Information about which Cisco FXOS Software and Cisco NX-OS Software releases are vulnerable and what to do about it is available in the fixed software section of the advisory.
LDAP implementation vulnerability
The worst of the vulnerabilities – with a Common Vulnerability Scoring System rating of 8.6 out of 10 – are found in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco FXOS and Cisco NX-OS software. The problem could let an unauthenticated, remote attacker cause an affected device to reload, resulting in a denial of service (DoS) condition, Cisco stated.
“The vulnerabilities are due to the improper parsing of LDAP packets by an affected device. An attacker could exploit these vulnerabilities by sending an LDAP packet crafted using Basic Encoding Rules (BER) to an affected device,” Cisco wrote. “The LDAP packet must have a source IP address of an LDAP server configured on the targeted device.”
The vulnerability affects a number of products from the Firepower 4100 Series Next-Generation Firewall and Firepower 9300 Security Appliance to MDS 9000 Series Multilayer Switches, Nexus 3000, 3500, 7000, 9000 Series Switches and UCS 6200, 6300 Series Fabric Interconnects.
Tetration Analytics vulnerability
Another highly ranked vulnerability is in the Cisco Tetration Analytics agent for Nexus 9000 series switches in standalone NX-OS mode which could let an authenticated, local attacker execute arbitrary root code. An attacker could exploit this vulnerability by replacing valid agent files with malicious code. A successful exploit could result in the execution of code supplied by the attacker, Cisco said in the advisory. The vulnerability is due to an incorrect permissions setting.
The Cisco Tetration Analytics system gathers information from hardware and software sensors and analyzes the information using big data analytics and machine learning to offer IT managers a deeper understanding of their data center resources. The idea behind Tetration includes the ability to dramatically improve enterprise security monitoring, simplify operational reliability.
A couple vulnerabilities in the Nexus software could let attackers gain elevated privileges on the switches and execute nefarious commands.
The first weakness is due to an incorrect authorization check of user accounts and their associated group ID, Cisco wrote. “An attacker could exploit this vulnerability by taking advantage of a logic error that will permit the use of higher privileged commands than what is necessarily assigned. A successful exploit could allow an attacker to execute commands with elevated privileges on the underlying Linux shell of an affected device.”
The problem affects Nexus 3000, 3500, 7000, 7700, 9000 and Series Switches and Nexus 9500 R-Series Line Cards and Fabric Modules.
The second exposure is due to insufficient authorization enforcement. An attacker could exploit this vulnerability by authenticating to the targeted device and executing commands that could lead to elevated privileges. A successful exploit could allow an attacker to make configuration changes to the system as administrator.
The problem affects Nexus 3000, 3500, 3600, 9000 and Nexus 9500 R-Series line cards and fabric.
Warning to secure POAP provisioning tool
Cisco also released an Informational advisory for Cisco Nexus switches using the automatic provisioning or zero-touch-deployment feature called PowerOn Auto Provisioning (POAP).
Cisco said the feature assists in automating the initial deployment and configuration of Nexus switches, and the POAP feature disables itself after a configuration is applied. But Cisco said it is critical to properly secure networks in which POAP is employed.
“Some customers may want to disable the POAP feature and use other methods to configure a Nexus device out of the box,” Cisco stated.
To this end, Cisco wrote that it has added multiple new commands to disable POAP that will persist across a reset to factory defaults and the removal of a configuration. For guidelines on securing a POAP environment, as well as information about disabling the feature, see the details and recommendations sections.