Home & Office

Cisco warns: These Nexus switches have been hit by a serious security flaw

Proof-of-concept exploit code is publicly available for a high-severity security flaw affecting Cisco's Nexus switches.
Written by Liam Tung, Contributing Writer

Cisco has warned customers with Nexus switches running its NX-OS software to install updates to address a serious flaw that allows a remote attacker to bypass network access controls and route malicious internet traffic to internal networks. 

This bug, tracked as CVE-2020-10136, can be used to trigger a denial of service on affected Nexus switches or, more worryingly, route traffic from an attacker's machine to a target's internal network after bypassing input Access Control Lists (ACLs) for filtering incoming internet traffic. 

Several of Cisco's widely used Nexus switches harbor a flaw that causes the device to "unexpectedly decapsulate and process IP in IP packets that are destined to a locally configured IP address, even when no tunnel configuration is present". 

SEE: IoT: Major threats and security tips for devices (free PDF)    

The IETF RFC 2003 specification for the IP-in-IP tunneling protocol allows for IP packets to be wrapped or encapsulated inside other IP packets, with the traffic remaining unencrypted at all times. 

Vijay Sarvepalli of the US CERT Coordination Center (CERT/CC) explains that the protocol unwraps the inner IP packet and forwards it through IP routing tables, but a device becomes vulnerable if it accepts these packets from anywhere without restrictions. 

"An IP-in-IP device is considered to be vulnerable if it accepts IP-in-IP packets from any source to any destination without explicit configuration between the specified source and destination IP addresses," writes Sarvepalli. 

And that's the problem affecting multiple Cisco Nexus NX-OS devices that support IP-in-IP packet encapsulation and decapsulation: they aren't meant to decapsulate and process any IP in IP traffic to a device's tunnel interface unless it's been manually configured with ACL inbound tunnel controls.

"A successful exploit could cause the affected device to unexpectedly decapsulate the IP in IP packet and forward the inner IP packet. This may result in IP packets bypassing input access control lists (ACLs) configured on the affected device or other security boundaries defined elsewhere in the network," Cisco notes

"Any input ACL configured on an inbound interface of the affected device is evaluated against the IP fields on the carrier IP packet prior to decapsulation; it would not be evaluated on the passenger IP packet," Cisco further explains. 

"This may result in the passenger IP packet bypassing the intended ACL filtering. This may also allow the passenger IP packet to bypass other security boundaries that might be defined in the network path to the affected device in the presence of network filtering techniques that only inspect the outer IP header and not the inner IP packet."

Beyond this, an attacker who repeatedly exploits the bug can cause the device's network stack to crash, resulting in a denial of service on the affected switch. 

Cisco has given the bug a severity score of 8.6 out of a possible 10. 

CERT/CC says the bug could result in a reflective distributed denial-of-service attack, information leakage and network control bypass. 

For those who can't immediately install updates, CERT/CC's Sarvepalli says affected customers can prevent IP-in-IP packets by filtering IP protocol 4 packets at the upstream router or another device. Sarvepalli stresses that this filtering is for IP protocol header value of 4, as opposed to IPv4.

SEE: Cisco discloses security breach that impacted VIRL-PE infrastructure

Cisco also suggests this measure, but first advises customers to use "infrastructure access control lists (iACLs) to allow only strictly required management and control plane traffic that is destined to the affected device".

Yannay Livneh, the security researcher who reported the bug to Cisco, has published proof-of-concept exploit code on GitHub for admins to use to test whether they have vulnerable Nexus devices on the network. The code lets admins verify whether the device supports IP-in-IP encapsulation from arbitrary sources to arbitrary destinations. 

However, Cisco notes that it has not observed malicious activity exploiting this flaw. 

Affected Nexus switches include:

  • Nexus 1000 Virtual Edge for VMware vSphere
  • Nexus 1000V Switch for Microsoft Hyper-V
  • Nexus 1000V Switch for VMware vSphere
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Switches in standalone NX-OS mode
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects

More on Cisco and network security

  • Cisco: Critical Java flaw strikes 'call center in a box', patch urgently  
  • Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching  
  • Cisco critical bug: Static password in Smart Software Manager – patch now, says Cisco  
  • Cisco: Patch this critical firewall bug in Firepower Management Center  
  • Critical Cisco DCNM flaws: Patch right now as PoC exploits are released  
  • Cisco critical bugs: Nexus data center switch software needs patching now  
  • Cisco: All these routers have the same embedded crypto keys, so update firmware  
  • Cisco: These Wi-Fi access points are easily owned by remote hackers, so patch now  
  • Cisco warning: These routers running IOS have 9.9/10-severity security flaw
  • Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw  
  • Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
  • How to improve cybersecurity for your business: 6 tips TechRepublic
  • New cybersecurity tool lets companies Google their systems for hackers CNET
  • Editorial standards