Cisco has released patches for several critical security vulnerabilities that affect the Nexus 7000 and 7700 series switches and the related NX OS Software.
Cisco Fixes the Issues in the Nexus 7000 Series (CVE-2016-1453)
Cisco developers have amended the security issues that have been identified in the CVE-2015-1453 advisory, affecting the Cisco Nexus 7000 and Nexus 7700 series of switches. The problems are related to an overlay transport virtualization buffer overflow vulnerability. This can lead to an authenticated attack from a malicious user who can potentially reload the system or execute arbitrary code on the affected devices.
The root of the problem lies within an incomplete input validation that is performed on the size of the OTV packet header parameters, which can result in a buffer overflow. The attacker can exploit the issue by sending a specially crafted OTV UDP packet to the OTV interface on the affected device. The exploit allows the attackers to execute arbitrary code and obtain full remote control access to the system or cause a reload of the OTV processes on the devices.
As well as providing a software update, the Cisco engineers have also published detailed instructions about mitigating the problem. The vulnerability affects the Nexus 7000 and 7700 Series Switches which have the OTV feature enabled.
The workaround provided by Cisco uses the Access Control List (ACL) to drop the malformed OTV control packets:
IP access list OTV_PROT_V1
10 deny udp any any fragments
20 deny udp any any eq 8472 packet-length lt 54
30 permit ip any any
Cisco recommends that the following considerations should be taken into account:
- The deny udp fragment must be the first line of the ACL.
- In the example between sequences 10-20 and 20-30 other Access Control Entries (ACEs) can be added as long as they don’t contradict sequence 10 or 20.
- The ACL must be configured on the ingress ACL for the OTV join interface.
- In the example instead of any as the destination address there can be multiple ACEs each with an OTV interface IP address.
To verify the ACL status administrators can use the show system internal access-list interface