Cisco addresses vulnerabilities in FXOS, UCS Manager and NX-OS Software

Pierluigi Paganini February 28, 2020

Cisco released security patches for 11 vulnerabilities in its products, including the Cisco UCS Manager, FXOS, and the NX-OS software.

The most severe vulnerabilities, rated as high severity, affect FXOS and NX-OS that could be exploited by an unauthenticated, adjacent attacker to execute arbitrary code as root.

The exploitation of the flaw could trigger a denial of service (DoS) condition.

“All six vulnerabilities have a Security Impact Rating (SIR) of High. Successful exploitation of the vulnerabilities could allow an attacker to gain elevated privileges, execute arbitrary commands, or cause a denial of service (DoS) condition on an affected device.” reads the advisory published by Cisco.

“Two vulnerabilities affect only Cisco NX-OS Software; one vulnerability affects only Cisco UCS Software; two vulnerabilities affect both Cisco FXOS Software and Cisco UCS Software; and one vulnerability affects Cisco FX-OS Software, Cisco NX-OS Software, and UCS Software.”

The first issue tracked as CVE-2020-3172 is caused by the lack of insufficient validation of Cisco Discovery Protocol packet headers. The flaw could be exploited by an attacker to send a crafted packet to a Layer 2-adjacent vulnerable device and trigger a buffer overflow to run arbitrary code or cause a DoS condition.

The vulnerability impacts several devices for which the Discovery Protocol is enabled by default, including Nexus, Firepower, UCS and MDS.

The IT giant fixed a high severity flaw in the UCS Manager software (CVE-2020-3173) that could be exploited by an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS). The flaw impacts UCS 6200, 6300, and 6400 Series Fabric Interconnects.

Cisco also addressed another a high risk DoS vulnerability in NX-OS software for MDS 9000 Series Multilayer Switches, the flaw tracked as CVE-2020-3175 can be exploited by a remote, unauthenticated attacker.

Other high severity issues fixed by the tech giant are:

  • A DoS flaw in Secure Login Enhancements capability of the Nexus 1000V switch for VMware vSphere, tracked as CVE-2020-3168, that could be exploited by an unauthenticated, remote attacker to cause a vulnerable Nexus 1000V Virtual Supervisor Module (VSM) to become inaccessible.
  • A CLI command injection flaw CVE-2020-3167 in FXOS software that could be exploited by an authenticated, local attacker to execute arbitrary commands. The issue affects Firepower and UCS products.
  • A CLI command injection flaw CVE-2020- 3171 in UCS Manager software that could be exploited by an authenticated, local attacker to execute arbitrary commands. The issue affects Firepower and UCS products.

The company also addressed three medium severity vulnerabilities, tracked as CVE-2020-3165, CVE-2020-3174, CVE-2020-3170, in the NX-OS software and two other medium risk bugs in the FXOS software tracked as CVE-2020-3166 and CVE-2020-3169.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, security)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment