Vulnerabilities > CVE-2018-0313 - Injection vulnerability in Cisco Nx-Os

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

cisco

CWE-74

critical

nessus

NVD

Published: 2018-06-21

Updated: 2020-09-04

Summary

A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to send a malicious packet to the management interface on an affected system and execute a command-injection exploit. The vulnerability is due to incorrect input validation of user-supplied data to the NX-API subsystem. An attacker could exploit this vulnerability by sending a malicious HTTP or HTTPS packet to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. Note: NX-API is disabled by default. This vulnerability affects MDS 9000 Series Multilayer Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvd47415, CSCve03216, CSCve03224, CSCve03234.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco NX OS 7.0\(0\)Hsk\(0.357\) Cisco NX OS 8.0\(1\)S20 Cisco NX OS 8.1\(0\)Bd\(0.20\) Cisco NX OS 8.1\(0.97\)S0 Cisco NX OS 8.1\(1\)S5 Cisco NX OS -	6
Hardware	Cisco Cisco Nexus 5000 - Cisco Nexus 5010 - Cisco Nexus 5020 - Cisco Nexus 5548P - Cisco Nexus 5548Up - Cisco Nexus 5596T - Cisco Nexus 5596Up - Cisco Nexus 56128P - Cisco Nexus 5624Q - Cisco Nexus 5648Q - Cisco Nexus 5672Up - Cisco Nexus 5696Q - Cisco Nexus 7000 - Cisco Nexus 7700 - Cisco Nexus 92160Yc X - Cisco Nexus 92304Qc - Cisco Nexus 9236C - Cisco Nexus 9272Q - Cisco Nexus 93108Tc EX - Cisco Nexus 93120Tx - Cisco Nexus 93128Tx - Cisco Nexus 93180Yc EX - Cisco Nexus 9332Pq - Cisco Nexus 9372Px - Cisco Nexus 9372Tx - Cisco Nexus 9396Px - Cisco Nexus 9396Tx - Cisco Nexus 9504 - Cisco Nexus 9508 - Cisco Nexus 9516 - Cisco Nexus N9K C9508 FM R - Cisco Nexus N9K X9636C R - Cisco Nexus N9K X9636Q R - Cisco Nexus 172Tq XL - Cisco Nexus 3016 - Cisco Nexus 3048 - Cisco Nexus 3064 32T - Cisco Nexus 3064 T - Cisco Nexus 3064 X - Cisco Nexus 3100 V - Cisco Nexus 31128Pq - Cisco Nexus 3132C Z - Cisco Nexus 3132Q - Cisco Nexus 3132Q X - Cisco Nexus 3132Q XL - Cisco Nexus 3164Q - Cisco Nexus 3172Pq - Cisco Nexus 3172Pq XL - Cisco Nexus 3172Tq - Cisco Nexus 3172Tq 32T - Cisco Nexus 3232C - Cisco Nexus 3264C E - Cisco Nexus 3264Q - Cisco Nexus 34180Yc - Cisco Nexus 3524 X - Cisco Nexus 3524 XL - Cisco Nexus 3548 - Cisco Nexus 3548 X - Cisco Nexus 3548 XL - Cisco Nexus 3636C R - Cisco Nexus C36180Yc R - Cisco Nexus 2148T - Cisco Nexus 2224Tp GE - Cisco Nexus 2232Pp 10Ge - Cisco Nexus 2232Tm E 10Ge - Cisco Nexus 2232Tm 10Ge - Cisco Nexus 2248Pq 10Ge - Cisco Nexus 2248Tp E - Cisco Nexus 2248Tp GE - Cisco Nexus 6001P - Cisco Nexus 6001T -	71

Common Weakness Enumeration (CWE)

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Server Side Include (SSI) Injection
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
Cross Site Scripting through Log Files
An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Subverting Environment Variable Values
The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20180620-NXAPI.NASL
description	According to its self-reported version, the Cisco NX-OS Software is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.
last seen	2020-04-30
modified	2018-06-25
plugin id	110688
published	2018-06-25
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/110688
title	Cisco NX-OS NXAPI Multiple Vulnerabilities.

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References