Vulnslist

find the latest Cisco vulnerabilities

Cisco NX-OS Software MPLS OAM Denial of Service Vulnerability

cisco-sa-nxos-mpls-oam-dos-sGO9x5GM · High · Published · Updated

A vulnerability in the MPLS Operation, Administration, and Maintenance (OAM) feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper input validation when an affected device is processing an MPLS echo-request or echo-reply packet. An attacker could exploit this vulnerability by sending malicious MPLS echo-request or echo-reply packets to an interface that is enabled for MPLS forwarding on the affected device. A successful exploit could allow the attacker to cause the MPLS OAM process to crash and restart multiple times, causing the affected device to reload and resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-mpls-oam-dos-sGO9x5GM This advisory is part of the August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Cisco advisory ·CSAF JSON

Workarounds

There are no workarounds that address this vulnerability.

However, disabling the MPLS OAM feature removes the exploit vector. Administrators can disable the MPLS OAM feature by using the Cisco NX-OS CLI global configuration mode command no feature mpls oam on Nexus 3000 Series Switches and Nexus 9000 Series Switches, or by using no mpls oam on Cisco Nexus 7000 Series Switches. This action may be a suitable mitigation until devices that are affected by this vulnerability can be upgraded.

Note: Nexus 7000 Series Switches running a vulnerable Cisco NX-OS Software release 8.4(1) or later will not display no mpls oam in the running configuration after the command has been applied. Refer to defect CSCwc58564 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc58564 for additional details about this configuration display issue. To confirm MPLS OAM has been disabled on these releases, use the ping mpls command at the Cisco NX-OS CLI and verify the MPLS Embedded Management Subsystem is not running, as shown in the following example:

nxos# ping mpls

% MPLS Embedded Management Subsystem is not running
To enable use 'mpls oam' global config command.

While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any mitigations before first evaluating the applicability to their own environment and any impact to such environment.

CVEsCVE-2021-1588
Cisco Bug IDsCSCvx66765, CSCvx48078
CVSS ScoreBase 8.6
Base 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X
Product Names From Source
Cisco NX-OS Software 6.0(2)A8(1), Cisco NX-OS Software 6.0(2)A8(2), Cisco NX-OS Software 6.0(2)A8(3), Cisco NX-OS Software 6.0(2)A8(4), Cisco NX-OS Software 6.0(2)A8(4a), Cisco NX-OS Software 6.0(2)A8(5), Cisco NX-OS Software 6.0(2)A8(6), Cisco NX-OS Software 6.0(2)A8(7), Cisco NX-OS Software 6.0(2)A8(7a), Cisco NX-OS Software 6.0(2)A8(7b), Cisco NX-OS Software 6.0(2)A8(8), Cisco NX-OS Software 6.0(2)A8(9), Cisco NX-OS Software 6.0(2)A8(10a), Cisco NX-OS Software 6.0(2)A8(10), Cisco NX-OS Software 6.0(2)A8(11), Cisco NX-OS Software 6.0(2)A8(11a), Cisco NX-OS Software 6.0(2)A8(11b), Cisco NX-OS Software 7.0(3)F3(1), Cisco NX-OS Software 7.0(3)F3(2), Cisco NX-OS Software 7.0(3)F3(3), Cisco NX-OS Software 7.0(3)F3(3a), Cisco NX-OS Software 7.0(3)F3(4), Cisco NX-OS Software 7.0(3)F3(3c), Cisco NX-OS Software 7.0(3)F3(5), Cisco NX-OS Software 7.0(3)I4(1), Cisco NX-OS Software 7.0(3)I4(2), Cisco NX-OS Software 7.0(3)I4(3), Cisco NX-OS Software 7.0(3)I4(4), Cisco NX-OS Software 7.0(3)I4(5), Cisco NX-OS Software 7.0(3)I4(6), Cisco NX-OS Software 7.0(3)I4(7), Cisco NX-OS Software 7.0(3)I4(8), Cisco NX-OS Software 7.0(3)I4(8a), Cisco NX-OS Software 7.0(3)I4(8b), Cisco NX-OS Software 7.0(3)I4(8z), Cisco NX-OS Software 7.0(3)I4(1t), Cisco NX-OS Software 7.0(3)I4(6t), Cisco NX-OS Software 7.0(3)I4(9), Cisco NX-OS Software 7.0(3)I5(1), Cisco NX-OS Software 7.0(3)I5(2), Cisco NX-OS Software 7.0(3)I5(3), Cisco NX-OS Software 7.0(3)I5(3a), Cisco NX-OS Software 7.0(3)I5(3b), Cisco NX-OS Software 7.0(3)I6(1), Cisco NX-OS Software 7.0(3)I6(2), Cisco NX-OS Software 7.0(3)I7(1), Cisco NX-OS Software 7.0(3)I7(2), Cisco NX-OS Software 7.0(3)I7(3), Cisco NX-OS Software 7.0(3)I7(4), Cisco NX-OS Software 7.0(3)I7(5), Cisco NX-OS Software 7.0(3)I7(5a), Cisco NX-OS Software 7.0(3)I7(3z), Cisco NX-OS Software 7.0(3)I7(6), Cisco NX-OS Software 7.0(3)I7(6z), Cisco NX-OS Software 7.0(3)I7(7), Cisco NX-OS Software 7.0(3)I7(8), Cisco NX-OS Software 7.0(3)I7(9), Cisco NX-OS Software 7.0(3)I7(9w), Cisco NX-OS Software 7.3(0)D1(1), Cisco NX-OS Software 7.3(0)DX(1), Cisco NX-OS Software 7.3(1)D1(1), Cisco NX-OS Software 7.3(2)D1(1), Cisco NX-OS Software 7.3(2)D1(2), Cisco NX-OS Software 7.3(2)D1(3), Cisco NX-OS Software 7.3(2)D1(3a), Cisco NX-OS Software 7.3(2)D1(1d), Cisco NX-OS Software 8.1(1), Cisco NX-OS Software 8.1(2), Cisco NX-OS Software 8.1(2a), Cisco NX-OS Software 8.2(1), Cisco NX-OS Software 8.2(2), Cisco NX-OS Software 8.2(3), Cisco NX-OS Software 8.2(4), Cisco NX-OS Software 8.2(5), Cisco NX-OS Software 8.2(6), Cisco NX-OS Software 8.3(1), Cisco NX-OS Software 8.3(2), Cisco NX-OS Software 9.2(1), Cisco NX-OS Software 9.2(2), Cisco NX-OS Software 9.2(2t), Cisco NX-OS Software 9.2(3), Cisco NX-OS Software 9.2(3y), Cisco NX-OS Software 9.2(4), Cisco NX-OS Software 9.2(2v), Cisco NX-OS Software 7.3(3)D1(1), Cisco NX-OS Software 7.0(3)IA7(1), Cisco NX-OS Software 7.0(3)IA7(2), Cisco NX-OS Software 7.0(3)IM7(2), Cisco NX-OS Software 7.3(4)D1(1), Cisco NX-OS Software 8.4(1), Cisco NX-OS Software 8.4(2), Cisco NX-OS Software 8.4(3), Cisco NX-OS Software 8.4(4), Cisco NX-OS Software 8.4(4a), Cisco NX-OS Software 9.3(1), Cisco NX-OS Software 9.3(2), Cisco NX-OS Software 9.3(3), Cisco NX-OS Software 9.3(1z), Cisco NX-OS Software 9.3(4), Cisco NX-OS Software 9.3(5), Cisco NX-OS Software 9.3(6), Cisco NX-OS Software 9.3(5w), Cisco NX-OS Software 9.3(7), Cisco NX-OS Software 9.3(7k), Cisco NX-OS Software 9.3(7a), Cisco NX-OS Software 7.3(5)D1(1), Cisco NX-OS Software 7.3(6)D1(1), Cisco NX-OS Software 7.3(7)D1(1), Cisco NX-OS Software 10.1(1), Cisco NX-OS Software, Cisco Nexus 7000 Series Switches, Cisco Nexus 3000 Series Switches, Cisco Nexus 9000 Series Switches

Related Products

Product CVE Evidence
Cisco RV Series Routers CVE-2021-1588 Cisco OpenVuln
Cisco Nexus Dashboard CVE-2021-1588 Cisco OpenVuln
Cisco Firepower Extensible Operating System (FXOS) CVE-2021-1588 Cisco OpenVuln
Cisco Catalyst PON Series Switches CVE-2021-1588 Cisco OpenVuln
Cisco Nexus 9000 Series Switches CVE-2021-1588 Cisco OpenVuln
Cisco Nexus 7000 Series Switches CVE-2021-1588 Cisco OpenVuln
Cisco Nexus 3000 Series Switches CVE-2021-1588 Cisco OpenVuln
Cisco Nexus 3000 Series Switch CVE-2021-1588 Cisco OpenVuln
Cisco NX-OS Software CVE-2021-1588 Cisco OpenVuln