Cisco Systems released six security patches tied to its high-end 9000 series networking gear ranging in importance from critical, high and medium severity.
The most serious of the bugs patched by Cisco (rated 9.1 out of 10) could allow a remote and unauthenticated adversary to read or write arbitrary files on to an application protocol interface used in Cisco 9000 series switches designed to manage its software-defined networking data center solution.
This critical vulnerability, tracked as CVE-2021-1577, impacts Cisco Application Policy Infrastructure Controller (APIC) and Cisco Cloud Application Policy Infrastructure Controller (Cloud APIC). APIC is the main architectural component of the Cisco Application Centric Infrastructure, which runs on Cisco Nexus 9000 Series node.
“This vulnerability is due to improper access control. An attacker could exploit this vulnerability by using a specific API endpoint to upload a file to an affected device,” wrote Cisco in its Wednesday security bulletin. Affected products are Cisco APIC and Cisco Cloud APIC.
As with each of the bugs and fixes announced Wednesday, Cisco said mitigations are available for each of the vulnerabilities and it is not aware of any publicly known exploits for those bugs patched. The release Wednesday, which included 15 patches in all, were part of a Cisco “bundled publication” of security fixes for its Firepower eXtensible Operating System and is Linux kernel compatible NX-OS software.
A Nexus of Bug Fixes
Cisco also addressed two high-severity Nexus 9000 bugs (CVE-2021-1586, CVE-2021-1523) and three medium-severity flaw (CVE-2021-1583, CVE-2021-1584, CVE-2021-1591). The two high-severity bugs (both with a base CVSS score of 8.6) are denial of service flaws.
“A vulnerability in the Multi-Pod or Multi-Site network configurations for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to unexpectedly restart the device, resulting in a denial of service (DoS) condition,” wrote Cisco.
A second high-severity Nexus 9000 series vulnerability is described by Cisco as a flaw in its Fabric Switches ACI Mode Queue Wedge.
“[The flaw] could allow an unauthenticated, remote attacker to cause a queue wedge on a leaf switch, which could result in critical control plane traffic to the device being dropped. This could result in one or more leaf switches being removed from the fabric,” Cisco noted.
Cisco notes that mitigation for this bug requires “a manual intervention to power-cycle the device to recover” after patches have been applied. Affected are generation 1 model N9K (Nexus 9000) series fabric switches.
Critical QNX ‘BadAlloc’ Bugs – Nothing to See Here
On Wednesday, Cisco released a second critical advisory for its gear tied to a QNX operating system bug, reported on August 17 by BlackBerry. That bug, according to BlackBerry, could allow threat actors to take over or launch denial of service attacks on devices and critical infrastructure by exploiting what are called BadAlloc bugs. QNX is BlackBerry’s real-time OS, used in embedded systems such as automobiles, medical devices and handsets.
While Cisco says none of its products are impacted by the QNX bug, it has rated the advisory as critical. “Cisco has completed its investigation into its product line to determine which products may be affected by this vulnerability. No products are known to be affected,” it wrote.
The Cisco advisory outlines switch and router products that “leverage the affected QNX software”, however “Cisco has confirmed that the vulnerability is not exploitable on these platforms.”
Cisco products running QNX include:
- Channelized shared port adapters (SPAs) (CSCvz34866)
- Circuit Emulation over Packet (CEoP) SPAs (CSCvz34865)
- IOS XR 32-bit Software (CSCvz34871)
Note: IOS XR 64-bit Software does not leverage QNX software.
- RF Gateway 10 (CSCvz34869)