Vulnslist

find the latest Cisco vulnerabilities

Cisco Nexus 3000 and 9000 Series Switches Health Monitoring Diagnostics Denial of Service Vulnerability

cisco-sa-n3kn9k-healthdos-eOqSWK4g · High · Published · Updated

A vulnerability in the health monitoring diagnostics of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of specific Ethernet frames. An attacker could exploit this vulnerability by sending a sustained rate of crafted Ethernet frames to an affected device. A successful exploit could allow the attacker to cause the device to reload. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3kn9k-healthdos-eOqSWK4g This advisory is part of the February 2025 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: February 2025 Semiannual Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Cisco advisory ·CSAF JSON

Workarounds

There is a workaround that addresses this vulnerability. However, the workaround is not recommended for Cisco NX-OS Software releases that do not include a fix for Field Notice FN72433 https://www.cisco.com/c/en/us/support/docs/field-notices/724/fn72433.html . Implementing the workaround on those releases may result in prolonged control plane instability. For a list of affected releases and additional information, see the field notice https://www.cisco.com/c/en/us/support/docs/field-notices/724/fn72433.html .

To stop the device from reloading when the diagnostic test L2ACLRedirect repeatedly fails, use the following configuration commands to override the default test behavior and only log failures:

nxos# configure
nxos(config)# event manager applet l2acl_override override __L2ACLRedirect
nxos(config-applet)# action 1 syslog priority emergencies msg l2aclFailed

The following syslog messages would then appear in the system log file if the test failed ten consecutive times:

SWITCH %$ VDC-1 %$ %DIAGCLIENT-2-EEM_ACTION_HM_SHUTDOWN: Test has been disabled as a part of default EEM action
SWITCH %$ VDC-1 %$ %DIAG_PORT_LB-2-L2ACLREDIRECT_LOOPBACK_TEST_FAIL: Module:1 Test:L2ACLRedirect Loopback failed 10 consecutive times. Faulty module: affected ports:1 Error:Loopback test failed. Packets lost on the SUP in the receive direction
SWITCH %$ VDC-1 %$ %EEM_ACTION-0-EMERG: l2aclFailed

For Cisco Nexus 3100 and 3200 Series Switches, the failed test would be RewriteEngineLoopback, so the workaround is to override the RewriteEngineLoopback diagnostic test with the following configuration commands:

nxos# configure
nxos(config)# event manager applet rewrite_override override __RewriteEngineLoopback
nxos(config-applet)# action 1 syslog priority emergencies msg RewriteEngineFailed

The following syslog messages would then appear in the system log file if the test failed ten consecutive times:

SWITCH %$ VDC-1 %$ %DIAGCLIENT-2-EEM_ACTION_HM_SHUTDOWN: Test has been disabled as a part of default EEM action
SWITCH %$ VDC-1 %$ %DIAG_PORT_LB-2-L2ACLREDIRECT_LOOPBACK_TEST_FAIL: Module:1 Test:RewriteEngine Loopback failed 10 consecutive times. Faulty module: affected ports:1 Error:Loopback test failed. Packets lost on the SUP in the receive direction
SWITCH %$ VDC-1 %$ %EEM_ACTION-0-EMERG: RewriteEngineFailed

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2025-20111
Cisco Bug IDsCSCwj98161, CSCwk41797
CVSS ScoreBase 7.4
Base 7.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco NX-OS Software 9.3(1), Cisco NX-OS Software 9.3(2), Cisco NX-OS Software 9.3(3), Cisco NX-OS Software 9.3(1z), Cisco NX-OS Software 9.3(4), Cisco NX-OS Software 9.3(5), Cisco NX-OS Software 9.3(6), Cisco NX-OS Software 9.3(5w), Cisco NX-OS Software 9.3(7), Cisco NX-OS Software 9.3(7k), Cisco NX-OS Software 9.3(7a), Cisco NX-OS Software 9.3(8), Cisco NX-OS Software 9.3(9), Cisco NX-OS Software 9.3(10), Cisco NX-OS Software 9.3(11), Cisco NX-OS Software 9.3(12), Cisco NX-OS Software 9.3(13), Cisco NX-OS Software 9.3(14), Cisco NX-OS Software 10.1(1), Cisco NX-OS Software 10.1(2), Cisco NX-OS Software 10.1(2t), Cisco NX-OS Software 10.2(1), Cisco NX-OS Software 10.2(1q), Cisco NX-OS Software 10.2(2), Cisco NX-OS Software 10.2(3), Cisco NX-OS Software 10.2(2a), Cisco NX-OS Software 10.2(3t), Cisco NX-OS Software 10.2(4), Cisco NX-OS Software 10.2(5), Cisco NX-OS Software 10.2(3v), Cisco NX-OS Software 10.2(6), Cisco NX-OS Software 10.2(7), Cisco NX-OS Software 10.2(8), Cisco NX-OS Software 10.3(1), Cisco NX-OS Software 10.3(2), Cisco NX-OS Software 10.3(3), Cisco NX-OS Software 10.3(99w), Cisco NX-OS Software 10.3(3w), Cisco NX-OS Software 10.3(99x), Cisco NX-OS Software 10.3(3o), Cisco NX-OS Software 10.3(4a), Cisco NX-OS Software 10.3(3p), Cisco NX-OS Software 10.3(4), Cisco NX-OS Software 10.3(3q), Cisco NX-OS Software 10.3(3x), Cisco NX-OS Software 10.3(5), Cisco NX-OS Software 10.3(4g), Cisco NX-OS Software 10.3(3r), Cisco NX-OS Software 10.3(4h), Cisco NX-OS Software 10.4(1), Cisco NX-OS Software 10.4(2), Cisco NX-OS Software 10.4(3), Cisco NX-OS Software 10.5(1), Cisco NX-OS Software, Cisco Nexus 3000 Series Switches, Cisco Nexus 9000 Series Switches

Related Products

Product CVE Evidence