-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0020 Title: Cisco NX-OS Malformed IP Packet Denial of Service Vulnerability [1] Version history: 16.02.2012 Initial publication Summary ======= Cisco NX-OS Software is affected by a denial of service (DoS) vulnerability that could cause Cisco Nexus 1000v, 5000, and 7000 Series Switches that are running affected versions of Cisco NX-OS Software to reload when the IP stack processes a malformed IP packet. CVSS Base Score CVSS v2 Base Score: 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C) [3]) Affected Versions ================= Platform Release First Fixed Release Nexus 1000v Series 4.2.x 4.2(1)SV1(5.1) Nexus 5000 Series 4.x Vulnerable; migrate to 5.x 5.0.x 5.0(2)N1(1) 5.1.x Not vulnerable Nexus 7000 Series 4.2.x 4.2.8 5.0.x 5.0.5 1 5.1.x 5.1.1 5.2.x Not vulnerable 6.x Not vulnerable Original Details ================ The vulnerability is in the operating system's IP stack and any feature that makes use of services offered by the IP stack to parse IP packets is affected. For instance, the following scenarios may trigger the vulnerability because they imply that Layer 4 (UDP or TCP) information is required to be able to perform the configured function: + A malformed, transit IP packet that would normally be forwarded by the switch is received and the Time-to-live (TTL) is 1. In this case, an ICMP error message (time exceeded) needs to be generated. During generation of this ICMP message, the bug could be triggered. + Policy-based routing is in use, and to make a routing decision, an incoming packet needs to be parsed. If the packet is a malformed TCP segment and the routing policy uses TCP information for routing decisions, then this bug could be triggered. + An egress Access Control List (ACL) is applied to an interface and a malformed IP packet that needs to be forwarded through that interface is received. Note: This list is not exhaustive. It contains some of the scenarios that have been confirmed to trigger the vulnerability described in this document. Other scenarios that require accessing Layer 4 information of a malformed IP packet may also result in the vulnerability being triggered. More details provided in the CISCO advisory [1]. What can you do? ================ Deploy the updated versions of the software [2]. What to tell your users? ======================== N/A More information ================ [1] CISCO http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120215-nxos [2] CISCO Software Download http://www.cisco.com/cisco/software/find.html?q=nx-os [3] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPPPzROhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4O6Ew//dxCqaBB+ ZdnINr352Dc8afQIN9wmK1Vb9XRwgViuIqYN6LfEv+F3b5Sqhpk2hNYkbDZawZiu Jd6d+0KMs8bCLsDQsEBGfBD6KO0ri7SjSrboCIqMP467mIqfiRnEI+p/Hip83/YJ ZIS0XmHnPdm0HJSeebD2iKffNJEnQPtaJBNxqixpHq8bVhdGMfZas39LVJYyiQnJ C/5MkIYUX2avpV6242rTqtBK9Etc8bBlukK9fxCLd2WLLpiZ/lPsKBXeZ/KE7Zoa S05Zs6aagrdvrhGqHjyRtL7XYHjHOngxOA6XyKydaops+G1wmHheXAHpehR9HIDF Jtj2zezRItBz3Tc4gLnxpDVxTcXY/DX32i0no3OOudgmTfNhmyI4Hqz0z9OMxEjj QFtfIAdJkdcggP95cQ+sUMaUwfWDKM8Ri22JvBtTt1LWjNsL3Gh/p/aVTa6riZHq /fcScSeEnGUZxcmn4GlEhRkheiGUYjD5qr/lCrbn/T+X2Ylq3nM1mKA32GhOs3mc Cm2U3iiGZG94uDH1Q6368AWNriqhfUK3Dx7ayfrwmhUz+d4eqPC/Kpk0xftYgpOh t0yjNk7Gi3OTx7BPk1QkjUhwqLoeGdV0P3CeIEO2eUwtGiwrncRSJRNormDTh46w yb4e0GozLKoUg8ocIH+/jVPIusnmNYsDBvA= =fVNr -----END PGP SIGNATURE-----