Cisco released security patches for more than 30 vulnerabilities including five Critical arbitrary code execution issues affecting the NX-API feature of NX-OS Software (CVE-2018-0301) and the Fabric Services component of FXOS Software and NX-OS Software (CVE-2018-0308, CVE-2018-0304, CVE-2018-0314, and CVE-2018-0312).
The vulnerabilities can be remotely exploited by unauthenticated attackers to trigger a buffer overflow and execute arbitrary code (as root, in some circumstances), cause a denial of service (DoS) condition, or read sensitive memory content on vulnerable devices.
According to CISCO, many devices are affected by the critical vulnerabilities, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 to UCS 6300 Series Fabric Interconnects, Firepower 4100 and Firepower 9300 products, and MDS 9000 Series Multilayer Switches.
Security updates also address High-risk vulnerabilities affecting NX-OS Software and FXOS Software, affecting Nexus 4000 Series Switch, Nexus 3000 and 9000 Series, and Firepower 4100 Series and Firepower 9300 Security Appliance.
The vulnerabilities affecting NX-OS include:
Security updates issued by Cisco also addressed DoS flaws in the SNMP feature of the Cisco Nexus 4000 Series Switch and in the implementation of a specific CLI command and the associated SNMP MIB for Cisco Nexus 3000 and 9000 Series Switches.
Further details on the vulnerabilities and the affected products are available on Cisco Security Advisories and AlertsCisco Security Advisories and Alerts page.
(Security Affairs – NX-OS Software, Cisco)