Cisco's Nexus switches open to DoS attacks

Data center portfolio vulnerable due to anomaly in NX-OS IP stack

Cisco this week issued a security advisory for a vulnerability in its NX-OS operating system, the software driving its Nexus data center switches. The vulnerability could leave the switches open to denial of service (DoS) attacks, the advisory states.

Specifically, the glitch affects Cisco's Nexus 1000v, 5000 and 7000 data center switches. It could cause those switches, if they are running affected versions of the NX-OS software, to reload when the IP stack processes a malformed packet and obtaining Layer 4 UDP or TCP information from the packet is required.

NX-OS Software versions prior to the first fixed release version are affected. Cisco says it released free software updates that address the vulnerability. The advisory includes a list of affected NX-OS verisons and their associated fixed releases; there are no workarounds.

The vulnerability is in the operating system's IP stack, so any feature that makes use of the services that are offered by the IP stack to process IP packets is affected. The advisory provided the following scenarios which could trigger the vulnerability:

  • A malformed, transit IP packet that would normally be forwarded by the switch is received and the Time-to-live (TTL) is 1. In this case, an ICMP error message (time exceeded) needs to be generated. During generation of this ICMP message, the bug could be triggered.
  • Policy-based routing is in use, and to make a routing decision, an incoming packet needs to be parsed. If the packet is a malformed TCP segment and the routing policy uses TCP information for routing decisions, then this bug could be triggered.
  • An egress Access Control List (ACL) is applied to an interface and a malformed IP packet that needs to be forwarded through that interface is received.

Cisco cautions that other scenarios that require accessing Layer 4 information of a malformed IP packet may also result in the vulnerability being triggered. Both transit traffic - that flowing through the switch -- and destination traffic may trigger the behavior, the advisory states. And a Nexus switch that has a configured IP address is affected by this vulnerability even if the IP address is used only for management, and if the switch is configured as a pure Layer 2 device with no Layer 3 packet forwarding.

Repeated exploitation of the reload vulnerability could result in a sustained DoS condition, the Cisco advisory states.

Cisco says its Product Security Incident Response Team - PSIRT -- is not aware of any public announcements or malicious use of the vulnerability. US-CERT also flagged it here.

Cisco says the vulnerability was discovered while working on customer support cases.

Cisco issued a series of advisories on vulnerabilities in its IOS software last fall.

More from Cisco Subnet:

30 events that shaped Cisco in 2011

New Cisco cloud computing framework pushes management, collaboration

Cisco data center forecast very cloudy

Cisco reorgs again, folds net mgmt into new cloud group

Chambers: Cisco's Q1 solid, but access routers, Nexus 7000 lagging

Cisco taps former VMware exec to head security push

Huawei gunning for Cisco in the enterprise

Cisco upgrades WAN optimizers

Gasp! Cisco and HP collaborate on blade switch

Cisco unveils latest Nexus data center switch

Follow all Cisco Subnet bloggers on Twitter.Jim Duffy on Twitter


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)