Cisco Nexus 9000 Series Fabric Switches in ACI Mode Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability
cisco-sa-aci-lldp-dos-ySCNZOpX · High · Published · Updated
A vulnerability in the Link Layer Discovery Protocol (LLDP) feature for Cisco Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) Mode could allow an unauthenticated, adjacent attacker to cause a memory leak, which could result in an unexpected reload of the device. This vulnerability is due to incorrect error checking when parsing ingress LLDP packets. An attacker could exploit this vulnerability by sending a steady stream of crafted LLDP packets to an affected device. A successful exploit could allow the attacker to cause a memory leak, which could result in a denial of service (DoS) condition when the device unexpectedly reloads. Note: This vulnerability cannot be exploited by transit traffic through the device. The crafted LLDP packet must be targeted to a directly connected interface, and the attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent). In addition, the attack surface for this vulnerability can be reduced by disabling LLDP on interfaces where it is not required. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-lldp-dos-ySCNZOpX This advisory is part of the February 2023 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: February 2023 Semiannual Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.
There are no workarounds that address this vulnerability.
However, if LLDP is not enabled on an interface, this vulnerability cannot be exploited on that interface. As a mitigation, disable LLDP on all interfaces where it is not required. Use the CLI commands no lldp transmit and no lldp receive. For additional information, see Cisco APIC Layer 2 Networking Configuration Guide https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L2_config/b_Cisco_APIC_Layer_2_Configuration_Guide/b_Cisco_APIC_Layer_2_Configuration_Guide_chapter_0100.html .
While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
Base 7.4 Base 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco NX-OS System Software in ACI Mode, Cisco NX-OS System Software in ACI Mode 15.2(1g), Cisco NX-OS System Software in ACI Mode 15.2(2e), Cisco NX-OS System Software in ACI Mode 15.2(2f), Cisco NX-OS System Software in ACI Mode 15.2(2g), Cisco NX-OS System Software in ACI Mode 15.2(2h), Cisco NX-OS System Software in ACI Mode 15.2(3e), Cisco NX-OS System Software in ACI Mode 15.2(3f), Cisco NX-OS System Software in ACI Mode 15.2(3g), Cisco NX-OS System Software in ACI Mode 15.2(4d), Cisco NX-OS System Software in ACI Mode 15.2(4e), Cisco NX-OS System Software in ACI Mode 15.2(5c), Cisco NX-OS System Software in ACI Mode 15.2(5d), Cisco NX-OS System Software in ACI Mode 15.2(5e), Cisco NX-OS System Software in ACI Mode 15.2(4f), Cisco NX-OS System Software in ACI Mode 16.0(1g), Cisco NX-OS System Software in ACI Mode 16.0(1j), Cisco Nexus 9000 Series Switches