Vulnerabilities > CVE-2019-1977 - State Issues vulnerability in Cisco Nx-Os

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

cisco

CWE-371

nessus

NVD

Published: 2019-08-30

Updated: 2024-11-21

Summary

A vulnerability within the Endpoint Learning feature of Cisco Nexus 9000 Series Switches running in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an endpoint device in certain circumstances. The vulnerability is due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when Disable Remote Endpoint Learning has been enabled. This can result in a Remote (XR) entry being created for the impacted endpoint that will become stale if the endpoint migrates to a different port or leaf switch. This results in traffic not reaching the impacted endpoint until the Remote entry can be relearned by another mechanism.

Vulnerable Configurations

Part	Description	Count
OS	Cisco Cisco NX OS 12.3\(1H\) Cisco NX OS 13.1\(2M\) Cisco NX OS 13.1\(2O\) Cisco NX OS 13.1\(2P\)	4
Hardware	Cisco Cisco Nexus 9000 - Cisco Nexus 93108Tc EX - Cisco Nexus 93108Tc FX - Cisco Nexus 93120Tx - Cisco Nexus 93128Tx - Cisco Nexus 93180Lc EX - Cisco Nexus 93180Yc EX - Cisco Nexus 93180Yc FX - Cisco Nexus 9332Pq - Cisco Nexus 9336C FX2 - Cisco Nexus 9336Pq - Cisco Nexus 9348Gc FXP - Cisco Nexus 9364C - Cisco Nexus 9372Px - Cisco Nexus 9372Px E - Cisco Nexus 9372Tx - Cisco Nexus 9372Tx E - Cisco Nexus 9396Px - Cisco Nexus 9396Tx - Cisco Nexus 9504 - Cisco Nexus 9508 - Cisco Nexus 9516 -	22

Common Weakness Enumeration (CWE)

CWE-371 - State Issues

Common Attack Pattern Enumeration and Classification (CAPEC)

Manipulating User State
An attacker modifies state information maintained by the target software in user-accessible locations. If successful, the target software will use this tainted state information and execute in an unintended manner. State management is an important function within an application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an attacker to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.

Nessus

NASL family	CISCO
NASL id	CISCO-SA-20190828-NEXUS-ACI-DOS.NASL
description	According to its self-reported version, Cisco NX-OS System Software in Application Centric Infrastructure (ACI) mode is affected by a vulnerability within the Endpoint Learning feature of Cisco 9000 Series Switches due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when
last seen	2020-03-26
modified	2020-01-14
plugin id	132855
published	2020-01-14
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132855
title	Cisco Nexus 9000 Series Fabric Switches ACI Mode Border Leaf Endpoint Learning (cisco-sa-20190828-nexus-aci-dos)
code	#TRUSTED 17b0df17afb00c93ca08d2a05a41c2882757d498a4e32f748fd124b5815a112de74967bac2769bec18fa2810911bd2d4cd8dfc39a266599723f3823d5836e1a874c9b7a6823813eb3ae8da8dceb4c00f607634f29fa5ca04a1ee5912de0f53ffa67f9deca06ba805f6cf40a74606a9e9885ddc993733d91fd46a256a7ded08bef83d371c047259ac034837a7dfb159deb1f913226f4f5bd2f1b19a71cabefdef5b73f1fb9b1f5f0a8450971ac379fb849c0546f6427a9e13e268efa16e12b6d078196dbce153ab40532ce1f0070f11b6f130dc51367e5a7857c4c3e8b38b703663bd2af99eac9532b46448bd7f0b3eb24964a1ae7a68340d56fc8417c776f78642d02323fdd78ce1d58a00167f865e368577bb0368e6b72a2d2330f1a684139158affb08c64c12f4dbf9e20a090949f78ee1cb7365a8135e2b875fdefd956b151e957b37742f4452919febeefb5e3460693630b96c37ed86aae87683914db69e29f41d90ebf2cdaaad46710b9bfc1476a428b64e2a0c747f4818af1948d7f26832e3fc377fb4aaf97ec7fdb88b5afa6f8f0679dca7344bd4348c57c3186c1b75286c9c57dd09b35f9329dec4113835ad9b157469c07a3cb80ca9d70f4e56ea0a7eedb680ab1488324c3131284ab559a09839d24381c73dc895535df9c7cb59e06fddc4a035378ebb3e7eecaeca48968a82c85481e1fe06830a5ac91b7d95ed42 # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(132855); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/25"); script_cve_id("CVE-2019-1977"); script_xref(name:"CISCO-BUG-ID", value:"CSCvi11291"); script_xref(name:"CISCO-SA", value:"cisco-sa-20190828-nexus-aci-dos"); script_xref(name:"IAVA", value:"2019-A-0317"); script_name(english:"Cisco Nexus 9000 Series Fabric Switches ACI Mode Border Leaf Endpoint Learning (cisco-sa-20190828-nexus-aci-dos)"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch"); script_set_attribute(attribute:"description", value: "According to its self-reported version, Cisco NX-OS System Software in Application Centric Infrastructure (ACI) mode is affected by a vulnerability within the Endpoint Learning feature of Cisco 9000 Series Switches due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when 'Disable Remote Endpoint Learning' has been enabled. An unauthenticated, remote attacker can exploit this to create a Remote (XR) entry for the impacted endpoint that will become stale if the endpoint migrates to a different port or leaf switch. This results in traffic not reaching the impacted endpoint until the Remote entry can be relearned by another mechanism, causing a denial of service (DoS) condition. Please see the included Cisco BIDs and Cisco Security Advisory for more information."); # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nexus-aci-dos script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9a5ce967"); script_set_attribute(attribute:"see_also", value:"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi11291"); script_set_attribute(attribute:"solution", value: "Upgrade to the relevant fixed version referenced in Cisco bug ID CSCvi11291"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1977"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/28"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/14"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:cisco:nx-os"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CISCO"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("cisco_nxos_version.nasl"); script_require_keys("Host/Cisco/NX-OS/Version", "Host/Cisco/NX-OS/Model", "Host/Cisco/NX-OS/Device", "Settings/ParanoidReport"); exit(0); } include('audit.inc'); include('cisco_workarounds.inc'); include('ccf.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); product_info = cisco::get_product_info(name:'Cisco NX-OS Software'); if ('Nexus' >!< product_info.device \|\| product_info.model !~ '^90[0-9][0-9]') audit(AUDIT_HOST_NOT, 'affected'); version_list=make_list( '12.0(1m)', '12.0(2g)', '12.0(1n)', '12.0(1o)', '12.0(1p)', '12.0(1q)', '12.0(2h)', '12.0(2l)', '12.0(2m)', '12.0(2n)', '12.0(2o)', '12.0(2f)', '12.0(1r)', '12.1(1h)', '12.1(2e)', '12.1(3g)', '12.1(4a)', '12.1(1i)', '12.1(2g)', '12.1(2k)', '12.1(3h)', '12.1(3j)', '12.2(1n)', '12.2(2e)', '12.2(3j)', '12.2(4f)', '12.2(3p)', '12.2(3r)', '12.2(3s)', '12.2(3t)', '12.2(2f)', '12.2(2g)', '12.2(2i)', '12.2(2j)', '12.2(2k)', '12.2(2q)', '12.2(1o)', '12.2(1k)', '12.3(1e)', '12.3(1f)', '12.3(1i)', '12.3(1l)', '12.3(1o)', '12.3(1p)', '13.0(1k)', '13.0(2h)', '13.0(2k)', '13.0(2n)', '13.0(1i)', '13.0(2m)', '13.1(1i)', '13.1(2m)', '13.1(2o)', '13.1(2p)', '13.1(2q)', '13.1(2s)', '13.1(2t)' ); workarounds = make_list(CISCO_WORKAROUNDS['no_workaround']); workaround_params = make_list(); reporting = make_array( 'port' , 0, 'severity' , SECURITY_WARNING, 'version' , product_info.version, 'bug_id' , 'CSCvi11291' ); cisco::check_and_report( product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list, switch_only:TRUE );

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References