Vulnerabilities > CVE-2019-1977 - State Issues vulnerability in Cisco Nx-Os

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
cisco
CWE-371
nessus

Summary

A vulnerability within the Endpoint Learning feature of Cisco Nexus 9000 Series Switches running in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an endpoint device in certain circumstances. The vulnerability is due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when Disable Remote Endpoint Learning has been enabled. This can result in a Remote (XR) entry being created for the impacted endpoint that will become stale if the endpoint migrates to a different port or leaf switch. This results in traffic not reaching the impacted endpoint until the Remote entry can be relearned by another mechanism.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Manipulating User State
    An attacker modifies state information maintained by the target software in user-accessible locations. If successful, the target software will use this tainted state information and execute in an unintended manner. State management is an important function within an application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an attacker to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.

Nessus

NASL familyCISCO
NASL idCISCO-SA-20190828-NEXUS-ACI-DOS.NASL
descriptionAccording to its self-reported version, Cisco NX-OS System Software in Application Centric Infrastructure (ACI) mode is affected by a vulnerability within the Endpoint Learning feature of Cisco 9000 Series Switches due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when
last seen2020-03-26
modified2020-01-14
plugin id132855
published2020-01-14
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/132855
titleCisco Nexus 9000 Series Fabric Switches ACI Mode Border Leaf Endpoint Learning (cisco-sa-20190828-nexus-aci-dos)
code
#TRUSTED 17b0df17afb00c93ca08d2a05a41c2882757d498a4e32f748fd124b5815a112de74967bac2769bec18fa2810911bd2d4cd8dfc39a266599723f3823d5836e1a874c9b7a6823813eb3ae8da8dceb4c00f607634f29fa5ca04a1ee5912de0f53ffa67f9deca06ba805f6cf40a74606a9e9885ddc993733d91fd46a256a7ded08bef83d371c047259ac034837a7dfb159deb1f913226f4f5bd2f1b19a71cabefdef5b73f1fb9b1f5f0a8450971ac379fb849c0546f6427a9e13e268efa16e12b6d078196dbce153ab40532ce1f0070f11b6f130dc51367e5a7857c4c3e8b38b703663bd2af99eac9532b46448bd7f0b3eb24964a1ae7a68340d56fc8417c776f78642d02323fdd78ce1d58a00167f865e368577bb0368e6b72a2d2330f1a684139158affb08c64c12f4dbf9e20a090949f78ee1cb7365a8135e2b875fdefd956b151e957b37742f4452919febeefb5e3460693630b96c37ed86aae87683914db69e29f41d90ebf2cdaaad46710b9bfc1476a428b64e2a0c747f4818af1948d7f26832e3fc377fb4aaf97ec7fdb88b5afa6f8f0679dca7344bd4348c57c3186c1b75286c9c57dd09b35f9329dec4113835ad9b157469c07a3cb80ca9d70f4e56ea0a7eedb680ab1488324c3131284ab559a09839d24381c73dc895535df9c7cb59e06fddc4a035378ebb3e7eecaeca48968a82c85481e1fe06830a5ac91b7d95ed42
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(132855);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/25");

  script_cve_id("CVE-2019-1977");
  script_xref(name:"CISCO-BUG-ID", value:"CSCvi11291");
  script_xref(name:"CISCO-SA", value:"cisco-sa-20190828-nexus-aci-dos");
  script_xref(name:"IAVA", value:"2019-A-0317");

  script_name(english:"Cisco Nexus 9000 Series Fabric Switches ACI Mode Border Leaf Endpoint Learning (cisco-sa-20190828-nexus-aci-dos)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, Cisco NX-OS System Software in Application Centric Infrastructure (ACI) mode is
affected by a vulnerability within the Endpoint Learning feature of Cisco 9000 Series Switches due to improper endpoint
learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on
a border leaf when 'Disable Remote Endpoint Learning' has been enabled. An unauthenticated, remote attacker can exploit
this to create a Remote (XR) entry for the impacted endpoint that will become stale if the endpoint migrates to a
different port or leaf switch. This results in traffic not reaching the impacted endpoint until the Remote entry can be
relearned by another mechanism, causing a denial of service (DoS) condition.

Please see the included Cisco BIDs and Cisco Security Advisory for more information.");
  # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nexus-aci-dos
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9a5ce967");
  script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi11291");
  script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvi11291");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1977");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/08/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/14");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("cisco_nxos_version.nasl");
  script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Model", "Host/Cisco/NX-OS/Device", "Settings/ParanoidReport");

  exit(0);
}

include('audit.inc');
include('cisco_workarounds.inc');
include('ccf.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

product_info = cisco::get_product_info(name:'Cisco NX-OS Software');

if ('Nexus' >!< product_info.device || product_info.model !~ '^90[0-9][0-9]')
  audit(AUDIT_HOST_NOT, 'affected');

version_list=make_list(
  '12.0(1m)',
  '12.0(2g)',
  '12.0(1n)',
  '12.0(1o)',
  '12.0(1p)',
  '12.0(1q)',
  '12.0(2h)',
  '12.0(2l)',
  '12.0(2m)',
  '12.0(2n)',
  '12.0(2o)',
  '12.0(2f)',
  '12.0(1r)',
  '12.1(1h)',
  '12.1(2e)',
  '12.1(3g)',
  '12.1(4a)',
  '12.1(1i)',
  '12.1(2g)',
  '12.1(2k)',
  '12.1(3h)',
  '12.1(3j)',
  '12.2(1n)',
  '12.2(2e)',
  '12.2(3j)',
  '12.2(4f)',
  '12.2(3p)',
  '12.2(3r)',
  '12.2(3s)',
  '12.2(3t)',
  '12.2(2f)',
  '12.2(2g)',
  '12.2(2i)',
  '12.2(2j)',
  '12.2(2k)',
  '12.2(2q)',
  '12.2(1o)',
  '12.2(1k)',
  '12.3(1e)',
  '12.3(1f)',
  '12.3(1i)',
  '12.3(1l)',
  '12.3(1o)',
  '12.3(1p)',
  '13.0(1k)',
  '13.0(2h)',
  '13.0(2k)',
  '13.0(2n)',
  '13.0(1i)',
  '13.0(2m)',
  '13.1(1i)',
  '13.1(2m)',
  '13.1(2o)',
  '13.1(2p)',
  '13.1(2q)',
  '13.1(2s)',
  '13.1(2t)'
);

workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);
workaround_params = make_list();

reporting = make_array(
  'port'     , 0,
  'severity' , SECURITY_WARNING,
  'version'  , product_info.version,
  'bug_id'   , 'CSCvi11291'
);

cisco::check_and_report(
  product_info:product_info,
  workarounds:workarounds,
  workaround_params:workaround_params,
  reporting:reporting,
  vuln_versions:version_list,
  switch_only:TRUE
);