Cisco has patched a high-severity flaw in its NX-OS software, the network operating system used by Cisco’s Nexus-series Ethernet switches.
If exploited, the vulnerability could allow an unauthenticated, remote attacker to bypass the input access control lists (ACLs) configured on affected Nexus switches – and launch a denial of service (DoS) attacks on the devices.
“A successful exploit could cause the affected device to unexpectedly decapsulate the IP-in-IP packet and forward the inner IP packet,” according to Cisco’s security advisory, published on Monday. “This may result in IP packets bypassing input ACLs configured on the affected device or other security boundaries defined elsewhere in the network.”
The vulnerability (CVE-2020-10136) stems from the network stack of Cisco’s NX-OS software. Specifically, it exists in a tunneling protocol called IP-in-IP encapsulation. This protocol allows IP packets to be encapsulated inside another IP packet. The IP-in-IP protocol on the affected software were accepting IP-in-IP packets from any source — to any destination — without explicit configuration between the specified source and destination IP addresses.
An attacker could exploit this issue by sending a crafted IP-in-IP packet to an affected device. Cisco said that under “certain conditions,” the crafted packets could cause the network stack process to crash and restart multiple times — ultimately leading to DoS for affected devices.
Specifically impacted by the flaw are the Nexus 1000, 3000, 5500, 5600, 6000, 7000 and 9000 series, as well as Cisco Unified Computing System (UCS) 6200 and 06300 Series Fabric Interconnects (see a full list of affected models below). Users can also check whether their version of Cisco NX-OS is impacted using a checking tool available on Cisco’s advisory.
Users can update to the latest patch, and, “if a device has the ability to disable IP-in-IP in its configuration, it is recommended that you disable IP-in-IP in all interfaces that do not require this feature,” according to a Tuesday CERT Coordination Center notice. “Device manufacturers are urged to disable IP-in-IP in their default configuration and to require their customers to explicitly configure IP-in-IP as and when needed.”
Proof-of-concept (PoC) exploit code was released for the bug by Yannay Livneh, who had also discovered the flaw.
“You can use this code to verify if your device supports default IP-in-IP encapsulation from arbitrary sources to arbitrary destinations,” said Livneh on GitHub. “The intended use of this code requires at least two more devices with distinct IP addresses for these two devices.”
Cisco said it is “not aware of any public announcements or malicious use of the vulnerability.” The vulnerability ranks 8.6 out of 10 on the CVSS scale, making it high severity.
The flaw comes a week after Cisco announced that attackers were able to compromise its servers, after exploiting two known, critical SaltStack vulnerabilities. The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.