Professional Documents
Culture Documents
Cisco FXOS and NX-OS Lightweight Directory Access Protocol Denial of Service
Vulnerabilities
Advisory ID: cisco-sa-20190306-nxosldap
Published: 2019 March 6 16:00 GMT
Version1.0: Final
CVSS Score: Base - 8.6
Workarounds: No workarounds available
Cisco Bug IDs: CSCvd40241
CSCvd57308
CSCve02855
CSCve02858
CSCve02865
CSCve02867
CSCve02871
CSCve57816
CSCve57820
CSCve58224
Summary
Multiple vulnerabilities in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected de
The vulnerabilities are due to the improper parsing of LDAP packets by an affected device. An attacker could exploit these vulnerabilities by sending an LDAP packet crafted using Basic Encoding Rules (BER) to an affected device.
condition.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
This advisory is part of the March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 26 vulnerabilities. For a complete list of the advisories and
Affected Products
Vulnerable Products
These vulnerabilities affect the following Cisco products if they are running a vulnerable release of Cisco FXOS Software or Cisco NX-OS Software and are configured for remote LDAP authentication:
For information about which Cisco FXOS Software and Cisco NX-OS Software releases are vulnerable, see the Fixed Software section of this advisory.
For additional information on NX-OS LDAP configuration, customers can refer to the Configuring LDAP chapter of the Cisco Security Configuration Guide.
Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.
Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:
Workarounds
Fixed Software
Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software th
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upg
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the informa
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To help ensure a complete upgrade solution, customers should consider that this advisory is part of a bundled publicatio
In the following tables, the left column lists releases of Cisco FXOS Software or Cisco NX-OS Software. The center column indicates whether a release is affected by the vulnerabilities described in this advisory and the first release t
those vulnerabilities.
Although the releases listed in the right column of each table include fixes for the vulnerabilities, the fix related to the Cisco NX-OS Software Image Signature Verification Vulnerability requires a BIOS upgrade as part of the software
and BIOS versions:
Cisco FXOS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for A
1.1 2.0.1.201 2.2.2.91
2.0 2.0.1.201 2.2.2.91
2.1 2.2.2.54 2.2.2.91
2.2 2.2.2.54 2.2.2.91
2.3 2.3.1.75 2.3.1.110
2.4 Not vulnerable 2.4.1.122
Cisco FXOS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for A
1.1 2.0.1.201 2.2.2.91
2.0 2.0.1.201 2.2.2.91
2.1 2.2.2.54 2.2.2.91
2.2 2.2.2.54 2.2.2.91
2.3 2.3.1.75 2.3.1.110
2.4 Not vulnerable 2.4.1.122
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
5.2 6.2(21) 6.2(27)
6.2 6.2(21) 6.2(27)
7.3 8.2(1) 8.3(2)
8.1 8.2(1) 8.3(2)
8.2 Not vulnerable 8.3(2)
8.3 Not vulnerable 8.3(2)
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 7.0(3)I4 7.0(3)I4(7) 7.0(3)I7(6)
7.0(3)I4 7.0(3)I4(7) 7.0(3)I7(6)
7.0(3)I5 7.0(3)I7(1) 7.0(3)I7(6)
7.0(3)I6 7.0(3)I7(1) 7.0(3)I7(6)
7.0(3)I7 7.0(3)I7(1) 7.0(3)I7(6)
9.2(1) Not vulnerable 9.2(2)
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 6.0(2)A8 6.0(2)A8(11) 6.0(2)A8(11)
6.0(2)A8 6.0(2)A8(11) 6.0(2)A8(11)
7.0(3) 7.0(3)I7(2) 7.0(3)I7(6)
9.2 Not vulnerable 9.2(2)
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 6.2 6.2(20) 6.2(22)
6.2 6.2(20) 6.2(22)
7.2 7.3(2)D1(1) 8.2(3)
7.3 7.3(2)D1(1) 8.2(3)
8.0 8.2(1) 8.2(3)
8.1 8.2(1) 8.2(3)
8.2 Not vulnerable 8.2(3)
8.3 Not vulnerable 8.3(2)
Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCve02865 and CSCve57816
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 7.0(3)I4 7.0(3)I4(7) 7.0(3)I7(6)
7.0(3)I4 7.0(3)I4(7) 7.0(3)I7(6)
7.0(3)I5 7.0(3)I7(1) 7.0(3)I7(6)
7.0(3)I6 7.0(3)I7(1) 7.0(3)I7(6)
7.0(3)I7 7.0(3)I7(1) 7.0(3)I7(6)
9.2(1) Not vulnerable 9.2(2)
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 3.1 3.2(2b) 3.2(3j)
3.1 3.2(2b) 3.2(3j)
3.2 3.2(2b) 3.2(3j)
4.0 Not vulnerable 4.0(2a)
Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recomm
For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device.
Exploitation and Public Announcements
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
Source
URL
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxosldap
Revision History
Legal Disclaimer
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR US
OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end u