Cisco has today issued a security advisory for Denial of Service vulnerability in NX-OS. With specially crafted IP packet it may be possible to trigger a Cisco Nexus 1000v, 5000 or 7000 switch to reboot. Nexus 2000, 3000, 4000 and UCS Fabric Interconnects are not affected by this bug.
Cisco explains details of issue as follows
Certain versions of Cisco NX-OS Software for Cisco Nexus 1000v, 5000, and 7000 Series Switches are affected by a vulnerability that may cause a reload of an affected device when the operating system’s IP stack processes a malformed IP packet and obtaining Layer 4 (UDP or TCP) information from the packet is required.
The vulnerability is in the operating system’s IP stack and any feature that makes use of services offered by the IP stack to parse IP packets is affected. For instance, the following scenarios may trigger the vulnerability because they imply that Layer 4 (UDP or TCP) information is required to be able to perform the configured function:
- A malformed, transit IP packet that would normally be forwarded by the switch is received and the Time-to-live (TTL) is 1. In this case, an ICMP error message (time exceeded) needs to be generated. During generation of this ICMP message, the bug could be triggered.
- Policy-based routing is in use, and to make a routing decision, an incoming packet needs to be parsed. If the packet is a malformed TCP segment and the routing policy uses TCP information for routing decisions, then this bug could be triggered.
- An egress Access Control List (ACL) is applied to an interface and a malformed IP packet that needs to be forwarded through that interface is received.
Note: This list is not exhaustive. It contains some of the scenarios that have been confirmed to trigger the vulnerability described in this document. Other scenarios that require accessing Layer 4 information of a malformed IP packet may also result in the vulnerability being triggered.
If you are doing any L3 routing with your Nexus switch, or you have ACL applied to any interface, then this vulnerability could be exploited from external networks like Internet. Immediate upgrade of NX-OS is recommended.
Below is a list of vulnerable and fixed software versions
Vulnerable NX-OS releases, source Cisco.com
Full Cisco Security Advisory cisco-sa-20120215-nxos is available at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120215-nxos
