Vulnslist

find the latest Cisco vulnerabilities

Cisco FXOS and NX-OS Software Cisco Discovery Protocol Arbitrary Code Execution and Denial of Service Vulnerability

cisco-sa-20200226-fxos-nxos-cdp · High · Published · Updated

A vulnerability in the Cisco Discovery Protocol feature of Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code as root or cause a denial of service (DoS) condition on an affected device. The vulnerability exists because of insufficiently validated Cisco Discovery Protocol packet headers. An attacker could exploit this vulnerability by sending a crafted Cisco Discovery Protocol packet to a Layer 2-adjacent affected device. A successful exploit could allow the attacker to cause a buffer overflow that could allow the attacker to execute arbitrary code as root or cause a DoS condition on the affected device. Note: Cisco Discovery Protocol is a Layer 2 protocol. To exploit this vulnerability, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). Note: This vulnerability is different from the following Cisco FXOS and NX-OS Software Cisco Discovery Protocol vulnerabilities that Cisco announced on Feb. 5, 2020: Cisco FXOS, IOS XR, and NX-OS Software Cisco Discovery Protocol Denial of Service Vulnerability and Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution Vulnerability. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-fxos-nxos-cdp This advisory is part of the February 2020 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes six Cisco Security Advisories that describe six vulnerabilities. For a complete list of the advisories and links to them, see Cisco Event Response: February 2020 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Cisco advisory · CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

However, customers who do not use the Cisco Discovery Protocol feature can disable it either globally to fully close the attack vector or on individual interfaces to reduce the attack surface.
Disable Cisco Discovery Protocol in Cisco FXOS Software
Cisco Discovery Protocol is always enabled and cannot be disabled in Cisco FXOS Software. In Cisco FXOS Software releases 2.1 and later, Cisco Discovery Protocol is enabled on the management (mgmt0) port only.
Disable Cisco Discovery Protocol Globally on Cisco Nexus Switches That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol globally on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in global configuration mode, as shown in the following example:

nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z. nxos(config)# no cdp enable nxos(config)# end nxos# copy running-config startup-config [########################################] 100% Copy complete.
Disable Cisco Discovery Protocol on an Interface on Cisco Nexus Switches That Are Running Cisco NX-OS Software
To disable Cisco Discovery Protocol on an interface on Cisco Nexus Switches that are running Cisco NX-OS Software, administrators can use the no cdp enable command in interface configuration mode, as shown in the following example:

nxos# conf t
Enter configuration commands, one per line. End with CNTL/Z. nxos(config)# interface Ethernet1/1 nxos(config-if)# no cdp enable nxos(config-if)# end nxos# copy running-config startup-config [########################################] 100% Copy complete.
Disable Cisco Discovery Protocol on Cisco UCS Fabric Interconnects
Cisco Discovery Protocol cannot be disabled completely on Cisco UCS Fabric Interconnects.

Cisco Discovery Protocol can be disabled on server ports and appliance ports on Cisco CS Fabric Interconnects, but it cannot be disabled on Ethernet uplink ports, Ethernet port channel members, FCoE uplink ports, or management ports.

To disable Cisco Discovery Protocol on the server ports of a Cisco UCS Fabric Interconnect, administrators can use the disable cdp command in the default nw-ctrl-policy in the org scope, as shown in the following example:

ucs-fi# scope org
ucs-fi /org # enter nw-ctrl-policy default ucs-fi /org/nw-ctrl-policy # disable cdp ucs-fi /org/nw-ctrl-policy* # exit ucs-fi /org* # exit ucs-fi* # commit-buffer ucs-fi#

To disable Cisco Discovery Protocol on the appliance ports of a Cisco UCS Fabric Interconnect, administrators can use the disable cdp command in the default nw-ctrl-policy in the eth-storage scope, as shown in the following example:

ucs-fi* # scope eth-storage
ucs-fi /eth-storage* # enter nw-ctrl-policy default ucs-fi /eth-storage/nw-ctrl-policy* # disable cdp ucs-fi /eth-storage/nw-ctrl-policy* # exit ucs-fi /eth-storage* # exit ucs-fi* # commit-buffer ucs-fi#

CVEsCVE-2020-3172
Cisco Bug IDsCSCux07556, CSCux58226, CSCvr37146, CSCvr37148, CSCvr31410, CSCvr37151, CSCvr37150
CVSS ScoreBase 8.8
Base 8.8 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:X/RL:X/RC:X
Base 7.4 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco Unified Computing System (Managed), Cisco NX-OS Software 6.0(2)A8(1), Cisco NX-OS Software 6.0(2)A8(2), Cisco NX-OS Software 6.0(2)A8(3), Cisco NX-OS Software 6.0(2)A8(4), Cisco NX-OS Software 6.0(2)A8(4a), Cisco NX-OS Software 6.0(2)A8(5), Cisco NX-OS Software 6.0(2)A8(6), Cisco NX-OS Software 6.0(2)A8(7), Cisco NX-OS Software 6.0(2)A8(7a), Cisco NX-OS Software 6.0(2)A8(7b), Cisco NX-OS Software 6.0(2)A8(8), Cisco NX-OS Software 6.0(2)A8(9), Cisco NX-OS Software 6.0(2)A8(10a), Cisco NX-OS Software 6.0(2)A8(10), Cisco NX-OS Software 6.0(2)A8(11), Cisco NX-OS Software 6.0(2)A8(11a), Cisco NX-OS Software 6.0(2)A8(11b), Cisco NX-OS Software 7.3(0)N1(1), Cisco NX-OS Software 7.3(0)N1(1b), Cisco NX-OS Software 7.3(0)N1(1a), Cisco NX-OS Software 7.3(1)N1(1), Cisco NX-OS Software 7.3(2)N1(1), Cisco NX-OS Software 7.3(2)N1(1b), Cisco NX-OS Software 7.3(2)N1(1c), Cisco NX-OS Software 7.3(3)N1(1), Cisco NX-OS Software 7.3(4)N1(1), Cisco NX-OS Software 7.3(4)N1(1a), Cisco NX-OS Software 7.3(5)N1(1), Cisco NX-OS Software 7.3(6)N1(1), Cisco NX-OS Software 7.3(6)N1(1a), Cisco Firepower Extensible Operating System (FXOS) 2.0.1.68, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.201, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.86, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.37, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.135, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.141, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.144, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.148, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.149, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.153, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.159, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.188, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.203, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.204, Cisco Firepower Extensible Operating System (FXOS) 2.0.1.206, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.64, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.73, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.77, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.83, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.85, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.86, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.97, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.106, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.107, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.113, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.115, Cisco Firepower Extensible Operating System (FXOS) 2.1.1.116, Cisco Firepower Extensible Operating System (FXOS) 1.1.1.147, Cisco Firepower Extensible Operating System (FXOS) 1.1.1.160, Cisco Firepower Extensible Operating System (FXOS) 1.1.2.51, Cisco Firepower Extensible Operating System (FXOS) 1.1.2.178, Cisco Firepower Extensible Operating System (FXOS) 1.1.3.84, Cisco Firepower Extensible Operating System (FXOS) 1.1.3.86, Cisco Firepower Extensible Operating System (FXOS) 1.1.3.97, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.95, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.117, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.140, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.169, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.175, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.178, Cisco Firepower Extensible Operating System (FXOS) 1.1.4.179, Cisco Firepower Extensible Operating System (FXOS) 2.2.1.63, Cisco Firepower Extensible Operating System (FXOS) 2.2.1.66, Cisco Firepower Extensible Operating System (FXOS) 2.2.1.70, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.17, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.19, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.24, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.26, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.28, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.54, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.60, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.71, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.83, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.86, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.91, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.97, Cisco Firepower Extensible Operating System (FXOS) 2.2.2.101, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.99, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.93, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.91, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.88, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.75, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.73, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.66, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.58, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.130, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.111, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.110, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.144, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.145, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.155, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.166, Cisco Firepower Extensible Operating System (FXOS) 2.3.1.173, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.101, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.214, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.222, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.234, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.238, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.244, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.249, Cisco Firepower Extensible Operating System (FXOS) 2.4.1.252, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.131, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.157, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.166, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.169, Cisco Firepower Extensible Operating System (FXOS) 2.6.1.174, Cisco Firepower Extensible Operating System (FXOS) 2.7.1.92, Cisco Firepower Extensible Operating System (FXOS) 2.7.1.98, Cisco NX-OS System Software in ACI Mode 12.2(2g), Cisco NX-OS System Software in ACI Mode 13.0(1i), Cisco NX-OS System Software in ACI Mode 13.0(2m), Cisco NX-OS System Software in ACI Mode 13.2(1l), Cisco NX-OS System Software in ACI Mode 13.2(1m), Cisco NX-OS System Software in ACI Mode 13.2(2l), Cisco NX-OS System Software in ACI Mode 13.2(2o), Cisco NX-OS System Software in ACI Mode 13.2(3i), Cisco NX-OS System Software in ACI Mode 13.2(3n), Cisco NX-OS System Software in ACI Mode 13.2(3o), Cisco NX-OS System Software in ACI Mode 13.2(3r), Cisco NX-OS System Software in ACI Mode 13.2(4d), Cisco NX-OS System Software in ACI Mode 13.2(4e), Cisco NX-OS System Software in ACI Mode 13.2(3j), Cisco NX-OS System Software in ACI Mode 13.2(3s), Cisco NX-OS System Software in ACI Mode 13.2(5d), Cisco NX-OS System Software in ACI Mode 13.2(5e), Cisco NX-OS System Software in ACI Mode 13.2(5f), Cisco NX-OS System Software in ACI Mode 13.2(6i), Cisco NX-OS System Software in ACI Mode 13.2(41d), Cisco NX-OS System Software in ACI Mode 13.2(7f), Cisco NX-OS System Software in ACI Mode 13.2(7k), Cisco NX-OS System Software in ACI Mode 14.0(1h), Cisco NX-OS System Software in ACI Mode 14.0(2c), Cisco NX-OS System Software in ACI Mode 14.0(3d), Cisco NX-OS System Software in ACI Mode 14.0(3c), Cisco NX-OS System Software in ACI Mode 14.1(1i), Cisco NX-OS System Software in ACI Mode 14.1(1j), Cisco NX-OS System Software in ACI Mode 14.1(1k), Cisco NX-OS System Software in ACI Mode 14.1(1l), Cisco NX-OS System Software in ACI Mode 14.1(2g), Cisco NX-OS System Software in ACI Mode 14.1(2m), Cisco NX-OS System Software in ACI Mode 14.1(2o), Cisco NX-OS System Software in ACI Mode 14.1(2s), Cisco NX-OS System Software in ACI Mode 14.1(2u), Cisco NX-OS System Software in ACI Mode 14.1(2w), Cisco NX-OS System Software in ACI Mode 14.1(2x), Cisco NX-OS System Software in ACI Mode 14.2(1i), Cisco Firepower Extensible Operating System (FXOS), Cisco NX-OS Software, Cisco NX-OS System Software in ACI Mode, Cisco Nexus 5000 Series Switches, Cisco Nexus 3000 Series Switches, Cisco Nexus 6000 Series Switches, Cisco Nexus 9000 Series Switches

Related Products

Product CVE Evidence
Firepower Extensible Operating System CVE-2020-3172 Cisco OpenVuln
Cisco Unified Computing System (Managed) CVE-2020-3172 Cisco OpenVuln
Cisco Nexus 9000 Series Switches CVE-2020-3172 Cisco OpenVuln
Cisco Nexus 6000 Series Switches CVE-2020-3172 Cisco OpenVuln
Cisco Nexus 5000 Series Switches CVE-2020-3172 Cisco OpenVuln
Cisco Nexus 3000 Series Switches CVE-2020-3172 Cisco OpenVuln
Cisco Nexus 3000 Series Switch CVE-2020-3172 Cisco OpenVuln
Cisco NX-OS System Software in ACI Mode CVE-2020-3172 Cisco OpenVuln
Cisco NX-OS Software CVE-2020-3172 Cisco OpenVuln
Cisco Firepower Extensible Operating System (FXOS) CVE-2020-3172 Cisco OpenVuln
Cisco Firepower Extensible Operating System CVE-2020-3172 Cisco OpenVuln