Cisco patches critical Nexus flaws: Are your switches vulnerable?

You'll need to wade through Cisco's advisories to work out if software you're running is vulnerable or already fixed.
Written by Liam Tung, Contributing Writer

Cisco patches critical Smart Install flaw: 8.5 million devices affected.

Cisco has released fixes for 34 flaws in its software, including 24 that affect its FXOS software for Firepower firewalls and NX-OS software for Nexus switches.

Cisco's June updates include fixes for five critical arbitrary code execution vulnerabilities affecting FXOS and NX-OS and 19 high-rated flaws affecting the software.

A dozen of them affect both FXOS and NX-OS, while the remaining only affect NX-OS. Cisco says that none of the flaws affects its IOS or IOS XE software.

Four of the critical flaws affect FXOS and NX-OS Cisco Fabric Services, while the fifth one affects the NX-API feature of NX-OS. All have a CVSS v3 score of 9.8 out of a maximum of 10.

The four affecting Cisco Fabric Services are because FXOS/NX-OS "insufficiently validates header values in Cisco Fabric Services packets".

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Cisco Fabric Services facilitate distribution and synchronization of configuration data between Cisco devices on the same network.

Some of the flaws allow an unauthenticated, remote attack to execute arbitrary code and one allows an attacker to do so as root.

Multiple switches are vulnerable if they've been configured to use Cisco Fabric Services, including its Nexus 2000 series through to Nexus 9000 series switches, as well as Cisco's Firepower 4100 Series Next-Gen Firewalls and other hardware.

The insufficient input validation may occur when FXOS and NX-OS process Cisco Fabric Services packets received during distribution and synchronization.

There are various ways to exploit each of the flaws, depending on what Cisco Fabric Services distribution types have been configured.

For example, if Fibre Channel ports are configured as a distribution type for a device, the attack could occur via Fibre Channel over Ethernet (FCoE) or Fibre Channel over IP (FCIP).

Cisco has already rolled out fixes in some releases of FXOS and NX-OS. It has provided tables for each affected switch and firewall, detailing the first fixed release for each specific vulnerability, as well as the first fixed release that covers a collection of 19 flaws detailed in a separate 'event response' advisory. All the flaws detailed in the separate advisory are high-rated flaws.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Cisco posted a blog this week explaining why it often fixes bugs in IOS and NX-OS releases before disclosing them in an advisory.

It's a practice that appears to cause confusion for customers wondering why it hasn't told them fixed code has been available for several months before it discloses them. Cisco's answer is that some flaws affect more than 50 versions of its software.

"There have been some questions as to why creating fixes and releasing updates can take several weeks, or sometimes even months, before an advisory is published," Cisco's Customer Assurance Security Programs team wrote.

"In some cases, there is a large number of supported software versions to be updated. The number of affected versions that will be updated can range from single digits to nearly 50 or more. We are committed to issuing fixes for every one of those supported versions."

"If we disclosed the vulnerability after only fixing one release, we would unnecessarily expose all customers running other releases to potential exploitation once details about the attack itself became public."

There are also 10 medium-severity flaws, including one that affects some WebEx endpoints due to an already disclosed flaw in Nvidia's Tegra TX1 chips.

Previous and related coverage

Cisco critical flaw warning: These 10/10 severity bugs need patching now

Cisco's software for managing software-defined networks has three critical, remotely exploitable vulnerabilities.

Cisco security: Russia, Iran switches hit by attackers who leave US flag on screens

Hackers use Cisco gear to send Russia a message not to mess with US elections.

Cisco's warning: Watch out for government hackers targeting your network

Cisco urges Smart Install client users to patch and securely configure the software.

Cisco critical flaw: At least 8.5 million switches open to attack, so patch now

Cisco patches a severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that's open by default.

Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw

Cisco patches two serious authentication bugs and a Java deserialization flaw.

Cisco: Severe bug in our security appliances is now under attack

A proof-of-concept exploit for Cisco's 10-out-of-10 severity bug surfaces days after researcher details his attack.

Cisco: You need to patch our security devices again for dangerous ASA VPN bug

Cisco has warned that its original fix for the 10/10-severity ASA VPN flaw was

Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw

Updated: Cisco should do more to help companies secure their network gear, says one customer.

Cisco switch flaw led to attacks on critical infrastructure in several countries (TechRepublic)

The attack targets the Cisco Smart Install Client, and as many as 168,000 systems could be vulnerable.

Adobe Acrobat vulnerability can compromise you with just a click (CNET)

Pro tip: Never click on a PDF from an unknown source.

Editorial standards