Vulnslist

find the latest Cisco vulnerabilities

Cisco FXOS and NX-OS System Software Authentication, Authorization, and Accounting Denial of Service Vulnerability

cisco-sa-20171018-aaavty · High · Published · Updated

A vulnerability in the authentication, authorization, and accounting (AAA) implementation of Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability occurs because AAA processes prevent the NX-OS System Manager from receiving keepalive messages when an affected device receives a high rate of login attempts, such as in a brute-force login attack. System memory can run low on the FXOS devices under the same conditions, which could cause the AAA process to unexpectedly restart or cause the device to reload. An attacker could exploit this vulnerability by performing a brute-force login attack against a device that is configured with AAA security services. A successful exploit could allow the attacker to cause the affected device to reload. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. Note: Previous versions of this advisory recommended upgrading the Cisco NX-OS Software Release and configuring the login block-for CLI command to prevent this vulnerability. Cisco has since become aware that the login block-for CLI command may not function as desired in all cases. This does not apply to Cisco FXOS. Please refer to the Details section for additional information. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-aaavty

Cisco advisory ·CSAF JSON

Workarounds

Cisco NX-OS System Software

Configuring a vty Access Class

On some platforms that are running Cisco NX-OS System Software, it is possible to limit exposure of an affected device by creating a vty access-control list (ACL) on the device and configuring the ACL to permit only known, trusted devices to connect to the device via Telnet and Secure Shell (SSH).

Note:

This workaround is not available on some platforms that are running Cisco NX-OS, and should be used only where applicable.
There is no Cisco UCS workaround that addresses this vulnerability.
The ACL in this example is for IPv4. This vulnerability can also be exploited against IPv6 interfaces. If the NX-OS device is configured for IPv6, the same ACL should be configured for the IPv6 address range.
The following example shows an ACL that permits access to vtys from the 192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying access from all other addresses:
ip access-list vtyacl
10 permit tcp 192.168.1.0/24 172.16.1.2/32
line vty
access-class vtyacl in
For more information about restricting traffic to vtys, see the Cisco Nexus 7000 Series NX-OS Security Configuration Guide http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6-x_chapter_01110.html#task_1452624 . It is considered a best practice for an NX-OS device to have a vty ACL configured. Refer to Cisco Guide to Securing Cisco NX-OS Software Devices http://www.cisco.com/c/en/us/about/security-center/securing-nx-os.html for additional information about hardening Cisco NX-OS devices.

Cisco FXOS

On Cisco FXOS platforms, it is possible to limit the exposure of an affected device by using the ip-block command to permit only known, trusted hosts to connect to the device via SSH. The following example show only a subset of IPv4 and IPv6 hosts being permitted to connect via SSH.
scope system
scope services
create ip-block 11.1.1.1 24 ssh
create ipv6-block 2014::10:76:78:107 64 ssh
commit-buffer
For more information about configuring Cisco FXOS IP Access Lists see the "Configure the IP Access List" section of the Cisco FXOS CLI Configuration Guide https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos211/cli-config/b_CLI_ConfigGuide_FXOS_211/security_certifications_compliance.html .

CVEsCVE-2017-3883
Cisco Bug IDsCSCuq58760, CSCuq71257, CSCur97432, CSCus05214, CSCux54898, CSCvb93995, CSCvc33141, CSCvd36971, CSCve03660, CSCvf64888, CSCvg41173
CVSS ScoreBase 8.6
Base 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco MDS SAN-OS Software, Cisco NX-OS Software 4.1(2), Cisco NX-OS Software 4.1(3), Cisco NX-OS Software 4.1(4), Cisco NX-OS Software 4.1(5), Cisco NX-OS Software 5.0(2a), Cisco NX-OS Software 5.0(3), Cisco NX-OS Software 5.0(5), Cisco NX-OS Software 4.2(2a), Cisco NX-OS Software 4.2(3), Cisco NX-OS Software 4.2(4), Cisco NX-OS Software 4.2(6), Cisco NX-OS Software 4.2(8), Cisco NX-OS Software 5.1(1), Cisco NX-OS Software 5.1(1a), Cisco NX-OS Software 5.1(3), Cisco NX-OS Software 5.1(4), Cisco NX-OS Software 5.1(5), Cisco NX-OS Software 5.1(6), Cisco NX-OS Software 5.2(1), Cisco NX-OS Software 5.2(3a), Cisco NX-OS Software 5.2(4), Cisco NX-OS Software 5.2(5), Cisco NX-OS Software 5.2(7), Cisco NX-OS Software 5.2(9), Cisco NX-OS Software 6.1(1), Cisco NX-OS Software 6.1(2), Cisco NX-OS Software 6.1(3), Cisco NX-OS Software 6.1(4), Cisco NX-OS Software 6.1(4a), Cisco NX-OS Software 6.1(5), Cisco NX-OS Software 6.1(3)S5, Cisco NX-OS Software 6.1(3)S6, Cisco NX-OS Software 4.0(0)N1(1a), Cisco NX-OS Software 4.0(0)N1(2), Cisco NX-OS Software 4.0(0)N1(2a), Cisco NX-OS Software 4.0(1a)N1(1), Cisco NX-OS Software 4.0(1a)N1(1a), Cisco NX-OS Software 4.0(1a)N2(1), Cisco NX-OS Software 4.0(1a)N2(1a), Cisco NX-OS Software 4.1(3)N1(1), Cisco NX-OS Software 4.1(3)N1(1a), Cisco NX-OS Software 4.1(3)N2(1), Cisco NX-OS Software 4.1(3)N2(1a), Cisco NX-OS Software 4.2(1)N1(1), Cisco NX-OS Software 4.2(1)N2(1), Cisco NX-OS Software 4.2(1)N2(1a), Cisco NX-OS Software 4.2(1)SV1(4), Cisco NX-OS Software 4.2(1)SV1(4a), Cisco NX-OS Software 4.2(1)SV1(4b), Cisco NX-OS Software 4.2(1)SV1(5.1), Cisco NX-OS Software 4.2(1)SV1(5.1a), Cisco NX-OS Software 4.2(1)SV1(5.2), Cisco NX-OS Software 4.2(1)SV1(5.2b), Cisco NX-OS Software 4.2(1)SV2(1.1), Cisco NX-OS Software 4.2(1)SV2(1.1a), Cisco NX-OS Software 4.2(1)SV2(2.1), Cisco NX-OS Software 4.2(1)SV2(2.1a), Cisco NX-OS Software 5.0(2)N1(1), Cisco NX-OS Software 5.0(2)N2(1), Cisco NX-OS Software 5.0(2)N2(1a), Cisco NX-OS Software 5.0(3)N1(1c), Cisco NX-OS Software 5.0(3)N2(1), Cisco NX-OS Software 5.0(3)N2(2), Cisco NX-OS Software 5.0(3)N2(2a), Cisco NX-OS Software 5.0(3)N2(2b), Cisco NX-OS Software 5.0(3)U1(1), Cisco NX-OS Software 5.0(3)U1(1a), Cisco NX-OS Software 5.0(3)U1(1b), Cisco NX-OS Software 5.0(3)U1(1d), Cisco NX-OS Software 5.0(3)U1(2), Cisco NX-OS Software 5.0(3)U1(2a), Cisco NX-OS Software 5.0(3)U2(1), Cisco NX-OS Software 5.0(3)U2(2), Cisco NX-OS Software 5.0(3)U2(2a), Cisco NX-OS Software 5.0(3)U2(2b), Cisco NX-OS Software 5.0(3)U2(2c), Cisco NX-OS Software 5.0(3)U2(2d), Cisco NX-OS Software 5.0(3)U3(1), Cisco NX-OS Software 5.0(3)U3(2), Cisco NX-OS Software 5.0(3)U3(2a), Cisco NX-OS Software 5.0(3)U3(2b), Cisco NX-OS Software 5.0(3)U4(1), Cisco NX-OS Software 5.0(3)U5(1), Cisco NX-OS Software 5.0(3)U5(1a), Cisco NX-OS Software 5.0(3)U5(1b), Cisco NX-OS Software 5.0(3)U5(1c), Cisco NX-OS Software 5.0(3)U5(1d), Cisco NX-OS Software 5.0(3)U5(1e), Cisco NX-OS Software 5.0(3)U5(1f), Cisco NX-OS Software 5.0(3)U5(1g), Cisco NX-OS Software 5.0(3)U5(1h), Cisco NX-OS Software 5.1(3)N1(1), Cisco NX-OS Software 5.1(3)N1(1a), Cisco NX-OS Software 5.1(3)N2(1), Cisco NX-OS Software 5.1(3)N2(1a), Cisco NX-OS Software 5.1(3)N2(1b), Cisco NX-OS Software 5.1(3)N2(1c), Cisco NX-OS Software 5.2(1)N1(1), Cisco NX-OS Software 5.2(1)N1(1a), Cisco NX-OS Software 5.2(1)N1(1b), Cisco NX-OS Software 5.2(1)N1(2), Cisco NX-OS Software 5.2(1)N1(2a), Cisco NX-OS Software 5.2(1)N1(3), Cisco NX-OS Software 5.2(1)N1(4), Cisco NX-OS Software 5.2(1)N1(5), Cisco NX-OS Software 5.2(1)N1(6), Cisco NX-OS Software 5.2(1)N1(7), Cisco NX-OS Software 5.2(1)N1(8a), Cisco NX-OS Software 5.2(1)N1(8), Cisco NX-OS Software 5.2(1)SM1(5.1), Cisco NX-OS Software 5.2(1)SV3(1.4), Cisco NX-OS Software 5.2(1)SV3(1.1), Cisco NX-OS Software 5.2(1)SV3(1.3), Cisco NX-OS Software 5.2(1)SV3(1.5a), Cisco NX-OS Software 5.2(1)SV3(1.5b), Cisco NX-OS Software 5.2(1)SV3(1.6), Cisco NX-OS Software 5.2(1)SV3(1.10), Cisco NX-OS Software 5.2(1)SV3(1.15), Cisco NX-OS Software 5.2(1)SV3(2.1), Cisco NX-OS Software 5.2(1)SV3(2.5), Cisco NX-OS Software 5.2(1)SV3(2.8), Cisco NX-OS Software 5.2(1)SV3(3.1), Cisco NX-OS Software 5.2(9)N1(1), Cisco NX-OS Software 6.0(1), Cisco NX-OS Software 6.0(2), Cisco NX-OS Software 6.0(3), Cisco NX-OS Software 6.0(4), Cisco NX-OS Software 6.0(2)N1(1), Cisco NX-OS Software 6.0(2)N1(2), Cisco NX-OS Software 6.0(2)N1(2a), Cisco NX-OS Software 6.0(2)N2(1), Cisco NX-OS Software 6.0(2)N2(1b), Cisco NX-OS Software 6.0(2)N2(2), Cisco NX-OS Software 6.0(2)N2(3), Cisco NX-OS Software 6.0(2)N2(4), Cisco NX-OS Software 6.0(2)N2(5), Cisco NX-OS Software 6.0(2)N2(5a), Cisco NX-OS Software 6.0(2)N2(6), Cisco NX-OS Software 6.0(2)N2(7), Cisco NX-OS Software 6.0(2)U1(1), Cisco NX-OS Software 6.0(2)U1(2), Cisco NX-OS Software 6.0(2)U1(1a), Cisco NX-OS Software 6.0(2)U1(3), Cisco NX-OS Software 6.0(2)U1(4), Cisco NX-OS Software 6.0(2)U2(1), Cisco NX-OS Software 6.0(2)U2(2), Cisco NX-OS Software 6.0(2)U2(3), Cisco NX-OS Software 6.0(2)U2(4), Cisco NX-OS Software 6.0(2)U2(5), Cisco NX-OS Software 6.0(2)U2(6), Cisco NX-OS Software 6.0(2)U3(1), Cisco NX-OS Software 6.0(2)U3(2), Cisco NX-OS Software 6.0(2)U3(3), Cisco NX-OS Software 6.0(2)U3(4), Cisco NX-OS Software 6.0(2)U3(5), Cisco NX-OS Software 6.0(2)U4(1), Cisco NX-OS Software 6.0(2)U4(2), Cisco NX-OS Software 6.0(2)U4(3), Cisco NX-OS Software 6.0(2)U5(1), Cisco NX-OS Software 6.0(2)U5(2), Cisco NX-OS Software 6.0(2)U5(3), Cisco NX-OS Software 6.0(2)U5(4), Cisco NX-OS Software 6.0(2)U6(1), Cisco NX-OS Software 6.0(2)U6(2), Cisco NX-OS Software 6.0(2)U6(3), Cisco NX-OS Software 6.0(2)U6(4), Cisco NX-OS Software 6.0(2)U6(5), Cisco NX-OS Software 6.0(2)U6(6), Cisco NX-OS Software 6.1(2)I2(1), Cisco NX-OS Software 6.1(2)I2(2), Cisco NX-OS Software 6.1(2)I2(2a), Cisco NX-OS Software 6.1(2)I2(3), Cisco NX-OS Software 6.1(2)I2(2b), Cisco NX-OS Software 6.1(2)I3(1), Cisco NX-OS Software 6.1(2)I3(2), Cisco NX-OS Software 6.1(2)I3(3), Cisco NX-OS Software 6.1(2)I3(3.78), Cisco NX-OS Software 6.1(2)I3(4), Cisco NX-OS Software 6.2(2), Cisco NX-OS Software 6.2(2a), Cisco NX-OS Software 6.2(6), Cisco NX-OS Software 6.2(6b), Cisco NX-OS Software 6.2(8), Cisco NX-OS Software 6.2(8a), Cisco NX-OS Software 6.2(8b), Cisco NX-OS Software 6.2(10), Cisco NX-OS Software 6.2(12), Cisco NX-OS Software 6.2(14b), Cisco NX-OS Software 6.2(14), Cisco NX-OS Software 6.2(14a), Cisco NX-OS Software 7.0(3), Cisco NX-OS Software 7.0(0)N1(1), Cisco NX-OS Software 7.0(1)N1(1), Cisco NX-OS Software 7.0(1)N1(3), Cisco NX-OS Software 7.0(2)N1(1), Cisco NX-OS Software 7.0(2)N1(1a), Cisco NX-OS Software 7.0(3)I1(1), Cisco NX-OS Software 7.0(3)I1(1a), Cisco NX-OS Software 7.0(3)I1(1b), Cisco NX-OS Software 7.0(3)I1(2), Cisco NX-OS Software 7.0(3)I1(3), Cisco NX-OS Software 7.0(3)I1(3a), Cisco NX-OS Software 7.0(3)I1(3b), Cisco NX-OS Software 7.0(3)I2(1), Cisco NX-OS Software 7.0(3)I2(1a), Cisco NX-OS Software 7.0(3)I2(2), Cisco NX-OS Software 7.0(3)N1(1), Cisco NX-OS Software 7.0(4)N1(1), Cisco NX-OS Software 7.0(4)N1(1a), Cisco NX-OS Software 7.0(5)N1(1), Cisco NX-OS Software 7.0(5)N1(1a), Cisco NX-OS Software 7.0(6)N1(1), Cisco NX-OS Software 7.0(6)N1(4s), Cisco NX-OS Software 7.0(6)N1(3s), Cisco NX-OS Software 7.0(6)N1(2s), Cisco NX-OS Software 7.0(6)N1(1c), Cisco NX-OS Software 7.0(7)N1(1), Cisco NX-OS Software 7.0(7)N1(1b), Cisco NX-OS Software 7.0(7)N1(1a), Cisco NX-OS Software 7.0(8)N1(1), Cisco NX-OS Software 7.0(8)N1(1a), Cisco NX-OS Software 7.1(0)N1(1a), Cisco NX-OS Software 7.1(0)N1(1b), Cisco NX-OS Software 7.1(0)N1(2), Cisco NX-OS Software 7.1(0)N1(1), Cisco NX-OS Software 7.1(1)N1(1), Cisco NX-OS Software 7.1(1)N1(1a), Cisco NX-OS Software 7.1(2)N1(1), Cisco NX-OS Software 7.1(2)N1(1a), Cisco NX-OS Software 7.1(3)N1(1), Cisco NX-OS Software 7.1(3)N1(2), Cisco NX-OS Software 7.1(3)N1(2.1), Cisco NX-OS Software 7.1(3)N1(3.12), Cisco NX-OS Software 7.1(3)N1(5), Cisco NX-OS Software 7.1(3)N1(4), Cisco NX-OS Software 7.1(3)N1(3), Cisco NX-OS Software 7.1(3)N1(2a), Cisco NX-OS Software 7.1(3)N1(1b), Cisco NX-OS Software 7.1(4)N1(1), Cisco NX-OS Software 7.1(4)N1(1d), Cisco NX-OS Software 7.1(4)N1(1c), Cisco NX-OS Software 7.1(4)N1(1a), Cisco NX-OS Software 7.1(5)N1(1), Cisco NX-OS Software 7.2(0)D1(0.437), Cisco NX-OS Software 7.2(0)D1(1), Cisco NX-OS Software 7.2(0)N1(1), Cisco NX-OS Software 7.2(0)ZZ(99.1), Cisco NX-OS Software 7.2(1)D1(1), Cisco NX-OS Software 7.2(1)N1(1), Cisco NX-OS Software 7.3(0.2), Cisco NX-OS Software 7.3(0)N1(1), Cisco NX-OS Software 7.3(1)N1(1), Cisco NX-OS Software 7.3(2)D1(1A), Cisco NX-OS Software 7.3(2)D1(1), Cisco NX-OS Software 7.3(2)N1(0.296), Cisco Firepower Extensible Operating System (FXOS) 2.0.1.68, Cisco Firepower Extensible Operating System (FXOS), Cisco NX-OS Software

Related Products

Product CVE Evidence
Firepower Extensible Operating System CVE-2017-3883 Cisco OpenVuln
Cisco NX-OS Software CVE-2017-3883 Cisco OpenVuln
Cisco MDS SAN-OS Software CVE-2017-3883 Cisco OpenVuln
Cisco Firepower Extensible Operating System (FXOS) CVE-2017-3883 Cisco OpenVuln
Cisco Firepower Extensible Operating System CVE-2017-3883 Cisco OpenVuln