Cisco Warns of Critical Nexus 9000 Data Center Flaw

cisco patch vulnerability

Part of a slew of patches from the networking vendor, the CVSS 9.8 bug allows remote takeover of a vulnerable device.

A critical vulnerability in Cisco’s software-defined networking (SDN) software could allow an unauthenticated, remote attacker to connect to a vulnerable data-center switch and take it over, with the privileges of the root user.

The bug (CVE-2019-1804), which has a CVSS severity rating of 9.8 out of 10, exists in the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software, which is part of Cisco’s SDN approach. Enterprises use ACI to deploy and control applications across their infrastructure, including their multicloud footprints, with consistent policies – in theory boosting security and high availability. The Nexus 9000 Series meanwhile is a line of data-center gear.

Unfortunately, Cisco built in a default key pair for the software’s Secure Shell (SSH) key management function; so, the bug allows an attacker to uncover the pairing and connect to a vulnerable Nexus 9000 Series device remotely, as if he or she were the legitimate user.

“An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials,” Cisco explained in its advisory. The flaw is not exploitable over connections made via IPv4.

The bug is present in all devices that run the software, if they are running a Cisco NX-OS software release prior to 14.1(1i). There are no workarounds, so Cisco is encouraging users to update to the latest software release. The fix is only an interim patch, however.

The flaw was discovered by external security researcher Oliver Matula from ERNW Enno Rey Netzwerke.

Cisco also patched an additional 22 high-severity flaws and 18 medium-severity flaws in various products on Wednesday, ranging from denial-of-service issues and privilege escalation to cross-site scripting.

These include another SSH vulnerability (CVE-2019-1859), this time in the authentication process of Cisco Small Business Switches software. An exploit for the high-severity bug would allow an attacker to bypass client-side certificate authentication and revert to password authentication.

“The vulnerability exists because OpenSSH mishandles the authentication process,” Cisco explained in the advisory. “An attacker could exploit this vulnerability by attempting to connect to the device via SSH. A successful exploit could allow the attacker to access the configuration as an administrative user if the default credentials are not changed.”

Another high-rated vulnerability (CVE-2019-1635) in Cisco VoIP phones could lead to them crashing, taking out a business’ phone capabilities. That issue lies in the call-handling functionality of the session initiation protocol (SIP) software for the Cisco IP Phone 7800 Series and 8800 Series; an unauthenticated, remote attacker to cause an affected phone to reload unexpectedly, resulting in denial of service (DoS).

“The vulnerability is due to incomplete error handling when XML data within a SIP packet is parsed,” Cisco said. “An attacker could exploit this vulnerability by sending a SIP packet that contains a malicious XML payload to an affected phone.”

The bad news is that the fix for the Cisco Unified IP 8831 Conference Phone is targeted for late 2019; and no patch at all is available for the Cisco Unified IP 8831 Conference Phone for Third-Party Call Control.

Also notable is a cross-site request forgery (CSRF) bug (CVE-2019-1713) in the web-based management interface of Cisco’s Adaptive Security Appliance (ASA) software. This could allow an unauthenticated, remote attacker to exploit an affected system, thanks to insufficient CSRF protections for ASA’s web-based management interface.

“An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link,” according to the advisory. “A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user. If the user has administrative privileges, the attacker could alter the configuration of, extract information from, or reload an affected device.”

Suggested articles