Cisco has warned shoppers with Nexus switches working its NX-OS device to put in updates to deal with a major flaw that permits a faraway attacker to circumvent community get admission to controls and direction malicious web site visitors to interior networks.
This malicious program, tracked as CVE-2020-10136, can be utilized to cause a denial of carrier on affected Nexus switches or, extra worryingly, direction site visitors from an attacker’s gadget to a goal’s interior community after bypassing enter Get admission to Keep watch over Lists (ACLs) for filtering incoming web site visitors.
A number of of Cisco’s broadly used Nexus switches harbor a flaw that reasons the tool to “impulsively decapsulate and procedure IP in IP packets which might be destined to a in the community configured IP deal with, even if no tunnel configuration is provide”.
The IETF RFC 2003 specification for the IP-in-IP tunneling protocol permits for IP packets to be wrapped or encapsulated inside of different IP packets, with the site visitors final unencrypted all the time.
Vijay Sarvepalli of america CERT Coordination Heart (CERT/CC) explains that the protocol unwraps the internal IP packet and forwards it via IP routing tables, however a tool turns into inclined if it accepts those packets from any place with out restrictions.
“An IP-in-IP tool is regarded as to be inclined if it accepts IP-in-IP packets from any supply to any vacation spot with out specific configuration between the required supply and vacation spot IP addresses,” writes Sarvepalli.
And that’s the reason the issue affecting a couple of Cisco Nexus NX-OS gadgets that give a boost to IP-in-IP packet encapsulation and decapsulation: they don’t seem to be supposed to decapsulate and procedure any IP in IP site visitors to a tool’s tunnel interface until it is been manually configured with ACL inbound tunnel controls.
“A a success exploit may purpose the affected tool to impulsively decapsulate the IP in IP packet and ahead the internal IP packet. This may occasionally lead to IP packets bypassing enter get admission to keep watch over lists (ACLs) configured at the affected tool or different safety obstacles outlined somewhere else within the community,” Cisco notes.
“Any enter ACL configured on an inbound interface of the affected tool is evaluated in opposition to the IP fields at the provider IP packet previous to decapsulation; it might now not be evaluated at the passenger IP packet,” Cisco additional explains.
“This may occasionally consequence within the passenger IP packet bypassing the supposed ACL filtering. This might also permit the passenger IP packet to circumvent different safety obstacles that may well be outlined within the community trail to the affected tool within the presence of community filtering tactics that simplest check up on the outer IP header and now not the internal IP packet.”
Past this, an attacker who time and again exploits the malicious program could cause the tool’s community stack to crash, leading to a denial of carrier at the affected transfer.
Cisco has given the malicious program a severity rating of eight.6 out of a imaginable 10.
CERT/CC says the malicious program may lead to a reflective dispensed denial-of-service assault, knowledge leakage and community keep watch over bypass.
For many who cannot instantly set up updates, CERT/CC’s Sarvepalli says affected shoppers can save you IP-in-IP packets by way of filtering IP protocol four packets on the upstream router or any other tool. Sarvepalli stresses that this filtering is for IP protocol header worth of four, versus IPv4.
Cisco additionally suggests this measure, however first advises shoppers to make use of “infrastructure get admission to keep watch over lists (iACLs) to permit simplest strictly required control and keep watch over aircraft site visitors this is destined to the affected tool”.
Yannay Livneh, the safety researcher who reported the malicious program to Cisco, has printed proof-of-concept exploit code on GitHub for admins to make use of to check whether or not they have got inclined Nexus gadgets at the community. The code we could admins test whether or not the tool helps IP-in-IP encapsulation from arbitrary resources to arbitrary locations.
Then again, Cisco notes that it has now not seen malicious process exploiting this flaw.
Affected Nexus switches come with:
- Nexus 1000 Digital Edge for VMware vSphere
- Nexus 1000V Transfer for Microsoft Hyper-V
- Nexus 1000V Transfer for VMware vSphere
- Nexus 3000 Collection Switches
- Nexus 5500 Platform Switches
- Nexus 5600 Platform Switches
- Nexus 6000 Collection Switches
- Nexus 7000 Collection Switches
- Nexus 9000 Collection Switches in standalone NX-OS mode
- UCS 6200 Collection Material Interconnects
- UCS 6300 Collection Material Interconnects