NX-OS-hit! Got Cisco Nexus and MDS 9000 switches? Then you've got patching to do, too

Oof. Crop of vulns include remote code execution as root

Cisco has published patches for a plethora of problems with its products, including vulns that could trigger denial-of-service conditions – and a sneaky one that "could allow an authenticated, remote attacker to execute arbitrary commands with root privileges".

The root vuln exists in the NX-API feature of Cisco's NX-OS switch operating system and comes about because NX-API does not correctly validate user-inputted data.

According to Cisco: "An attacker could exploit this vulnerability by sending malicious HTTP or HTTPS packets to the management interface of an affected system that has the NX-API feature enabled." These packets are seemingly not authenticated, allowing a random person to gain full control over the target device.

NX-API is disabled by default. The vuln affects a large number of Cisco's Nexus (n)000 series switches as well as the MDS 9000 Series. Although the vuln has been allocated a CVE number (2019-1614), no further details of the exploit are publicly available at the time of writing. Patches are available from the Cisco website.


Another NX-OS vuln disclosed by Switchzilla today exists in the OS's network stack. It allows a miscreant to trigger a denial-of-service condition by crapflooding switches running NX-OS with "crafted TCP streams" in a "sustained" way. This causes the stack to "run out of available buffers", in Cisco's words, eventually overwhelming the switch and causing it to go and curl up in the corner for a while, gently rocking and murmuring to itself about load balancing.

NX-OS has also been patched for a second DoS trigger, this time one that exists in Cisco's implementation of LDAP in both NX-OS and Cisco FXOS. Improper parsing of LDAP packets causes a condition that could be exploited by an attacker who has the IP address "of an LDAP server configured on the targeted device". A successful exploit causes the target device to reboot, triggering a temporary DoS condition. Patches are available here.

Cisco's full set of patches issued this week for NX-OS and FXOS devices are all available on its website. Last year a slightly more critical set of NX-OS and FXOS were pushed out in June. Happy installing! ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022