Cisco has warned customers with Nexus switches running its NX-OS software to install updates to address a serious flaw that allows a remote attacker to bypass network access controls and route malicious internet traffic to internal networks.
This bug, tracked as CVE-2020-10136, can be used to trigger a denial of service on affected Nexus switches or, more worryingly, route traffic from an attacker's machine to a target's internal network after bypassing input Access Control Lists (ACLs) for filtering incoming internet traffic.
Several of Cisco's widely used Nexus switches harbor a flaw that causes the device to "unexpectedly decapsulate and process IP in IP packets that are destined to a locally configured IP address, even when no tunnel configuration is present".
The IETF RFC 2003 specification for the IP-in-IP tunneling protocol allows for IP packets to be wrapped or encapsulated inside other IP packets, with the traffic remaining unencrypted at all times.
Vijay Sarvepalli of the US CERT Coordination Center (CERT/CC) explains that the protocol unwraps the inner IP packet and forwards it through IP routing tables, but a device becomes vulnerable if it accepts these packets from anywhere without restrictions.
"An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination IP addresses," writes Sarvepalli.
And that's the problem affecting multiple Cisco Nexus NX-OS devices that support IP-in-IP packet encapsulation and decapsulation: they aren't meant to decapsulate and process any IP in IP traffic to a device's tunnel interface unless it's been manually configured with ACL inbound tunnel controls.
"A successful exploit could cause the affected device to unexpectedly decapsulate the IP in IP packet and forward the inner IP packet. This may result in IP packets bypassing input access control lists (ACLs) configured on the affected device or other security boundaries defined elsewhere in the network," Cisco notes.
"Any input ACL configured on an inbound interface of the affected device is evaluated against the IP fields on the carrier IP packet prior to decapsulation; it would not be evaluated on the passenger IP packet," Cisco further explains.
"This may result in the passenger IP packet bypassing the intended ACL filtering. This may also allow the passenger IP packet to bypass other security boundaries that might be defined in the network path to the affected device in the presence of network filtering techniques that only inspect the outer IP header and not the inner IP packet."
Beyond this, an attacker who repeatedly exploits the bug can cause the device's network stack to crash, resulting in a denial of service on the affected switch.
Cisco has given the bug a severity score of 8.6 out of a possible 10.
CERT/CC says the bug could result in a reflective distributed denial-of-service attack, information leakage and network control bypass.
For those who can't immediately install updates, CERT/CC's Sarvepalli says affected customers can prevent IP-in-IP packets by filtering IP protocol 4 packets at the upstream router or another device. Sarvepalli stresses that this filtering is for IP protocol header value of 4, as opposed to IPv4.
Cisco also suggests this measure, but first advises customers to use "infrastructure access control lists (iACLs) to allow only strictly required management and control plane traffic that is destined to the affected device".
Yannay Livneh, the security researcher who reported the bug to Cisco, has published proof-of-concept exploit code on GitHub for admins to use to test whether they have vulnerable Nexus devices on the network. The code lets admins verify whether the device supports IP-in-IP encapsulation from arbitrary sources to arbitrary destinations.
However, Cisco notes that it has not observed malicious activity exploiting this flaw.
Affected Nexus switches include:
- Nexus 1000 Virtual Edge for VMware vSphere
- Nexus 1000V Switch for Microsoft Hyper-V
- Nexus 1000V Switch for VMware vSphere
- Nexus 3000 Series Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Series Switches
- Nexus 7000 Series Switches
- Nexus 9000 Series Switches in standalone NX-OS mode
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects