Cisco released security patches for more than 30 vulnerabilities, including five Critical arbitrary code execution issues affecting the NX-OS Software
Cisco released security patches for more than 30 vulnerabilities including five Critical arbitrary code execution issues affecting the NX-API feature of NX-OS Software (CVE-2018-0301) and the Fabric Services component of FXOS Software and NX-OS Software (CVE-2018-0308, CVE-2018-0304, CVE-2018-0314, and CVE-2018-0312).
The vulnerabilities can be remotely exploited by unauthenticated attackers to trigger a buffer overflow and execute arbitrary code (as root, in some circumstances), cause a denial of service (DoS) condition, or read sensitive memory content on vulnerable devices.
According to CISCO, many devices are affected by the critical vulnerabilities, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, UCS 6100 to UCS 6300 Series Fabric Interconnects, Firepower 4100 and Firepower 9300 products, and MDS 9000 Series Multilayer Switches.
Security updates also address High-risk vulnerabilities affecting NX-OS Software and FXOS Software, affecting Nexus 4000 Series Switch, Nexus 3000 and 9000 Series, and Firepower 4100 Series and Firepower 9300 Security Appliance.
The vulnerabilities affecting NX-OS include:
command-injections in the CLI and NX-API;
denial of service (DoS) in the Simple Network Management Protocol (SNMP) input packet processor;
elevation of privilege in role-based access control (RBAC);
remote code execution and DoS in the Internet Group Management Protocol (IGMP) Snooping feature;
DoS in the Border Gateway Protocol (BGP) implementation;
elevation of privilege in NX-API;
Security updates issued by Cisco also addressed DoS flaws in the SNMP feature of the Cisco Nexus 4000 Series Switch and in the implementation of a specific CLI command and the associated SNMP MIB for Cisco Nexus 3000 and 9000 Series Switches.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.