A security hole in the Cisco Nexus NS-OS platform could be exploited by cyber attackers to launch DOS attacks.
The Cisco equipment manufacturer has advised its customers who use Nexus datacenter switches to correct a vulnerability that could expose its enclosures to a denial of service attack. A workaround is also available. Cisco has assigned this vulnerability discovered in Nexus NX-OS software a score of 8.6 out of 10 in the Common Vulnerabilities Scoring System (CVSS), which means that the risk is “high”.
According to Cisco, the vulnerability is due to the fact that an affected device unexpectedly uncaps and processes IP-in-IP packets destined for a locally configured IP address. IP-in-IP is a tunneling protocol that wraps an IP packet in another IP packet. “A successful exploit could cause the affected device to unexpectedly decapsulate the IP-in-IP packet and transmit the internal IP packet. One of the consequences is that IP packets could bypass the access control lists (ACLs) configured on the affected device or other security rules defined elsewhere in the network, “said Cisco. “In certain conditions, an exploit could cause the network stack process to stop and restart multiple times, and trigger a restart of the affected device and the favorable conditions for a DOS denial of service”.
Support to contact
The vulnerability affects several series of Nexus switches, from Nexus 1000 Virtual Edge switches for VMware vSphere to Nexus 9000 series switches. As Cisco pointed out, a workaround exists: it consists of configuring checklists access to the infrastructure (iACL) so that only the required management and control traffic can reach the device concerned. This is also recommended by the Cisco Guide to Securing NX-OS Software Devices. “Customers can also explicitly refuse all IP packets with protocol number 4 (the one that corresponds to IP-in-IP packets) in their iACLs, if no legitimate IP-in-IP traffic passes through their network. They can also set up a personalized Control Plane Policing (CoPP) policy to refuse IP-in-IP traffic intended for an affected device. However, support for customizing CoPP varies depending on Nexus platforms and software versions. ”
Cisco advises customers “to contact corporate support to assess the feasibility of a workaround and its implementation on an affected device.” The OEM also indicated that Cisco Software Checker identifies Cisco Security Advisories affecting specific versions of Cisco NX-OS software and indicates the first version known as “First Fixed” which addresses the vulnerabilities described in each notice. Free software updates that address the vulnerability are available.