Cisco Security Advisory

Cisco FXOS and NX-OS Lightweight Directory Access Protocol Denial of Service
Vulnerabilities
Advisory ID: cisco-sa-20190306-nxosldap
Published: 2019 March 6 16:00 GMT
Version1.0: Final
CVSS Score: Base - 8.6
Workarounds: No workarounds available
Cisco Bug IDs: CSCvd40241
CSCvd57308
CSCve02855
CSCve02858
CSCve02865
CSCve02867
CSCve02871
CSCve57816
CSCve57820
CSCve58224

Summary

Multiple vulnerabilities in the implementation of the Lightweight Directory Access Protocol (LDAP) feature in Cisco FXOS Software and Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an affected de

The vulnerabilities are due to the improper parsing of LDAP packets by an affected device. An attacker could exploit these vulnerabilities by sending an LDAP packet crafted using Basic Encoding Rules (BER) to an affected device.
condition.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

This advisory is available at the following link:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxosldap

This advisory is part of the March 2019 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication, which includes 25 Cisco Security Advisories that describe 26 vulnerabilities. For a complete list of the advisories and
Affected Products

Vulnerable Products
These vulnerabilities affect the following Cisco products if they are running a vulnerable release of Cisco FXOS Software or Cisco NX-OS Software and are configured for remote LDAP authentication:

Firepower 4100 Series Next-Generation Firewalls

Firepower 9300 Security Appliance
MDS 9000 Series Multilayer Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
UCS 6200 Series Fabric Interconnects
UCS 6300 Series Fabric Interconnects

For information about which Cisco FXOS Software and Cisco NX-OS Software releases are vulnerable, see the Fixed Software section of this advisory.

Determining the Cisco FXOS LDAP Configuration

To determine whether a Nexus device is configured for LDAP-based authentication, authorization, and accounting (AAA), administrators can use the show ldap-server CLI command. Output after the following LDAP servers are
the Cisco FXOS CLI Configuration Guide.

fxos# show ldap-server

timeout : 30
port : 0
baseDN :
user profile attribute :
search filter : cn=$userid
use groups : 0
recurse groups : 0
group attribute : memberOf
total number of servers : 1

following LDAP servers are configured:

ldap1:
timeout: 30 port: 389 rootDN: DC=cisco-firepower-aaa1,DC=qalab0,DC=com0,DC=cisco-firepower-aaa2,DC=qalab1,DC=com1,DC=cisco-firepower-aaa3,DC=qalab2,DC
enable-ssl: true
.
.
.

Determining the Cisco NX-OS LDAP Configuration

To determine whether a Nexus device is configured for the LDAP feature, administrators can use the show running-config | include "ldap-server host" command from the NX-OS CLI and verify that the feature is enabled.

nxos-switch# show running-config | include "ldap-server host"

ldap-server host ...

For additional information on NX-OS LDAP configuration, customers can refer to the Configuring LDAP chapter of the Cisco Security Configuration Guide.

Determining the Cisco FXOS Software Release

Administrators can check the release of Cisco FXOS Software that is running on a device by using the following commands in the device CLI or by navigating to the Overview tab in the Admin portal. The following example shows

QP4120B1 # scope system

QP4120B1 /system # show version
FPRM:
Running-Vers: 4.2(2.15)
Package-Vers: 2.2(2.14)
Activate-Status: Ready

Determining the Cisco NX-OS Software Release

Administrators can check the release of Cisco NX-OS Software that is running on a device by using the show version command in the device CLI. The following example shows the output of this command on a device that is runn

nxos-switch# show version

Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (C) 2002-2016, Cisco and/or its affiliates.
All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under their own
licenses, such as open source. This software is provided "as is," and
unless otherwise stated, there is no warranty, express or implied,
including but not limited to warranties of merchantability and fitness
for a particular purpose. Certain components of this software are
licensed under the GNU General Public License (GPL) version 2.0 or
GNU General Public License (GPL) version 3.0 or the GNU
Lesser General Public License (LGPL) Version 2.1 or
Lesser General Public License (LGPL) Version 2.0.
A copy of each such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://opensource.org/licenses/gpl-3.0.html and
http://www.opensource.org/licenses/lgpl-2.1.php and
http://www.gnu.org/licenses/old-licenses/library.txt.
Software
BIOS: version 07.57
NXOS: version 7.0(3)I5(1) [build 7.0(3)I5(0.9)]
BIOS compile time: 06/29/2016
NXOS image file is: bootflash:///nxos.7.0.3.I5.0.9.bin
 NXOS compile time: 8/1/2016 23:00:00 [08/02/2016 00:30:32]
.
.
.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities.

Cisco has confirmed that these vulnerabilities do not affect the following Cisco products:

Firepower 2100 Series Firewalls

Nexus 1000V Switch for KVM
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 1100 Series Cloud Services Platforms
Nexus 2000 Series Fabric Extenders
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
Nexus 9500 R-Series Line Cards and Fabric Modules
UCS 6400 Series Fabric Interconnects

Workarounds

There are no workarounds that address these vulnerabilities.

Fixed Software

Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software th

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upg

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the informa

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale shoul

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases
Customers are advised to upgrade to an appropriate release as indicated in the applicable table in this section. To help ensure a complete upgrade solution, customers should consider that this advisory is part of a bundled publicatio

In the following tables, the left column lists releases of Cisco FXOS Software or Cisco NX-OS Software. The center column indicates whether a release is affected by the vulnerabilities described in this advisory and the first release t
those vulnerabilities.

Although the releases listed in the right column of each table include fixes for the vulnerabilities, the fix related to the Cisco NX-OS Software Image Signature Verification Vulnerability requires a BIOS upgrade as part of the software
and BIOS versions:

Nexus 3000 Series Switches

Nexus 9000 Series Fabric Switches in ACI mode
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Line Cards and Fabric Modules

Firepower 4100 Series Next-Generation Firewalls: CSCvd40241 and CSCvd57308

Cisco FXOS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for A
1.1 2.0.1.201 2.2.2.91
2.0 2.0.1.201 2.2.2.91
2.1 2.2.2.54 2.2.2.91
2.2 2.2.2.54 2.2.2.91
2.3 2.3.1.75 2.3.1.110
2.4 Not vulnerable 2.4.1.122

Firepower 9300 Security Appliance: CSCvd40241 and CSCvd57308

Cisco FXOS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for A
1.1 2.0.1.201 2.2.2.91
2.0 2.0.1.201 2.2.2.91
2.1 2.2.2.54 2.2.2.91
2.2 2.2.2.54 2.2.2.91
2.3 2.3.1.75 2.3.1.110
2.4 Not vulnerable 2.4.1.122

MDS 9000 Series Multilayer Switches: CSCve57820 and CSCve02867

Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
5.2 6.2(21) 6.2(27)
6.2 6.2(21) 6.2(27)
7.3 8.2(1) 8.3(2)
8.1 8.2(1) 8.3(2)
8.2 Not vulnerable 8.3(2)
8.3 Not vulnerable 8.3(2)

Nexus 3000 Series Switches: CSCve58224 and CSCve02858

Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 7.0(3)I4 7.0(3)I4(7) 7.0(3)I7(6)
7.0(3)I4 7.0(3)I4(7) 7.0(3)I7(6)
7.0(3)I5 7.0(3)I7(1) 7.0(3)I7(6)
7.0(3)I6 7.0(3)I7(1) 7.0(3)I7(6)
7.0(3)I7 7.0(3)I7(1) 7.0(3)I7(6)
9.2(1) Not vulnerable 9.2(2)

Nexus 3500 Platform Switches: CSCve02871

Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 6.0(2)A8 6.0(2)A8(11) 6.0(2)A8(11)
6.0(2)A8 6.0(2)A8(11) 6.0(2)A8(11)
7.0(3) 7.0(3)I7(2) 7.0(3)I7(6)
9.2 Not vulnerable 9.2(2)

Nexus 7000 and 7700 Series Switches: CSCve57820 and CSCve02867

Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 6.2 6.2(20) 6.2(22)
6.2 6.2(20) 6.2(22)
7.2 7.3(2)D1(1) 8.2(3)
7.3 7.3(2)D1(1) 8.2(3)
8.0 8.2(1) 8.2(3)
8.1 8.2(1) 8.2(3)
8.2 Not vulnerable 8.2(3)
8.3 Not vulnerable 8.3(2)

Nexus 9000 Series Switches in Standalone NX-OS Mode: CSCve02865 and CSCve57816

Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 7.0(3)I4 7.0(3)I4(7) 7.0(3)I7(6)
7.0(3)I4 7.0(3)I4(7) 7.0(3)I7(6)
7.0(3)I5 7.0(3)I7(1) 7.0(3)I7(6)
7.0(3)I6 7.0(3)I7(1) 7.0(3)I7(6)
7.0(3)I7 7.0(3)I7(1) 7.0(3)I7(6)
9.2(1) Not vulnerable 9.2(2)

UCS 6200 and 6300 Fabric Interconnects: CSCve02855

Cisco NX-OS Software Release First Fixed Release for These Vulnerabilities First Fixed Release for
Prior to 3.1 3.2(2b) 3.2(3j)
3.1 3.2(2b) 3.2(3j)
3.2 3.2(2b) 3.2(3j)
4.0 Not vulnerable 4.0(2a)

Additional Resources
For help determining the best Cisco NX-OS Software release for a Cisco Nexus Switch, administrators can refer to the following Recommended Releases documents. If a security advisory recommends a later release, Cisco recomm

Cisco MDS Series Switches

Cisco Nexus 1000V for VMware Switch
Cisco Nexus 3000 Series and 3500 Series Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 5500 Platform Switches
Cisco Nexus 6000 Series Switches
Cisco Nexus 7000 Series Switches
Cisco Nexus 9000 Series Switches
Cisco Nexus 9000 Series ACI-Mode Switches

For help determining the best Cisco NX-OS Software release for Cisco UCS, refer to the Recommended Releases documents in the release notes for the device.
Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

Source

These vulnerabilities were found during internal security testing.

URL
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-nxosldap

Revision History

Version Description Section

1.0 Initial public release. -

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR US
OR UPDATE THIS DOCUMENT AT ANY TIME.

A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end u