Cisco security updates address five critical issues in NX-OS Software

Pierluigi Paganini June 21, 2018

Cisco released security patches for more than 30 vulnerabilities, including five Critical arbitrary code execution issues affecting the NX-OS Software

Cisco released security patches for more than 30 vulnerabilities including five Critical arbitrary code execution issues affecting the NX-API feature of NX-OS Software (CVE-2018-0301) and the Fabric Services component of FXOS Software and NX-OS Software (CVE-2018-0308, CVE-2018-0304, CVE-2018-0314, and CVE-2018-0312).

The vulnerabilities can be remotely exploited by unauthenticated attackers to trigger a buffer overflow and execute arbitrary code (as root, in some circumstances), cause a denial of service (DoS) condition, or read sensitive memory content on vulnerable devices.

According to CISCO, many devices are affected by the critical vulnerabilities, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 to UCS 6300 Series Fabric Interconnects, Firepower 4100 and Firepower 9300 products, and MDS 9000 Series Multilayer Switches.

Security updates also address High-risk vulnerabilities affecting NX-OS Software and FXOS Software, affecting Nexus 4000 Series Switch, Nexus 3000 and 9000 Series, and Firepower 4100 Series and Firepower 9300 Security Appliance.

The vulnerabilities affecting NX-OS include:

  • command-injections in the CLI and NX-API;
  • denial of service (DoS) in the Simple Network Management Protocol (SNMP) input packet processor;
  • elevation of privilege in role-based access control (RBAC);
  • remote code execution and DoS in the Internet Group Management Protocol (IGMP) Snooping feature;
  • DoS in the Border Gateway Protocol (BGP) implementation;
  • elevation of privilege in NX-API;

CISCO NX-OS Software

Security updates issued by Cisco also addressed DoS flaws in the SNMP feature of the Cisco Nexus 4000 Series Switch and in the implementation of a specific CLI command and the associated SNMP MIB for Cisco Nexus 3000 and 9000 Series Switches.

Further details on the vulnerabilities and the affected products are available on Cisco Security Advisories and AlertsCisco Security Advisories and Alerts page.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – NX-OS Software, Cisco)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment