—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Cisco Security Advisory: Cisco FXOS and NX-OS System Software Authentication, Authorization, and Accounting Denial of Service Vulnerability

Advisory ID: cisco-sa-20171018-aaavty

Revision: 2.0

For Public Release: 2017 October 18 16:00 GMT

Last Updated: 2017 October 27 19:26 GMT

CVE ID(s): CVE-2017-3883

CVSS Score v(3): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

+———————————————————————

Summary
=======
A vulnerability in the authentication, authorization, and accounting (AAA) implementation of Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

The vulnerability occurs because AAA processes prevent the NX-OS System Manager from receiving keepalive messages when an affected device receives a high rate of login attempts, such as in a brute-force login attack. System memory can run low on the FXOS devices under the same conditions, which could cause the AAA process to unexpectedly restart or cause the device to reload.

An attacker could exploit this vulnerability by performing a brute-force login attack against a device that is configured with AAA security services. A successful exploit could allow the attacker to cause the affected device to reload.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

Note: Previous versions of this advisory recommended upgrading the Cisco NX-OS Software Release and configuring the login block-for CLI command to prevent this vulnerability. Cisco has since become aware that the login block-for CLI command may not function as desired in all cases. This does not apply to Cisco FXOS. Please refer to the Details [“#details”] section for additional information.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-aaavty [“https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-aaavty”]

—–BEGIN PGP SIGNATURE—–

iQKBBAEBAgBrBQJZ84ooZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg
SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx
NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHmY2RAAl39Jj9exTs9uqLCQ
5COdzvR6idO4aBuIbBOIv+P7+3bulsNCmtY6pcioyDKfhXjjPx5EZ4WI0vTf6dgW
5SQcn58GRz1DSDAGbWijUHDSa+J6tfBy3wRQWXKa/n7SwY3uo0lLP7LBm19PR5Mn
TMd9xgJsZ6UE4oHSNUrSwgHsUXS8GJTZYh/gTv1afWCZqnX9GdtDCQzQxCxYVRjD
z2kW+RDsbdSBH5NK+txJyiKDkGiqHXXleBMYlEo4DXmCDWn7xl6RWhx4Sr2Bmpfb
az24fotbC2rlwSDitNLkYBX51s0XeHuJ/bYL8ohdV45+5PMhKLQ5GOqXT8Pw2u5Z
cOc5AckgZxWYqwUYFxefWozslcSAW7hBGcgJ6YO7VPVTyi0R5RaWbeDMCi1eCrZb
xpAstH/MkNbq38QFuDcK7caXYFuj3sKmrYPyawWm6w/YAdHnIgnDEHwIQO6rRyGe
Vj5mO50XCBe5GGkyZnueTiL2fdEo4DXVlbFFPRSvljGHsv6upyk4WLtCrgeWbaoK
ZSFB6l7JlK4PeehGlUcFRaAlfhJtPty080ODOg161a9GenmugrDSm64TawQSF3Sr
e8FRM4QTZC/30cv/JK3AuzvnIfiOPHEkSTl4ihLX6DDnTfPUu+lSEyTn0yhKFTDN
12Gg5HdbneWl673TDM+v6Plpaz8=
=NC4o
—–END PGP SIGNATURE—–

_______________________________________________
cust-security-announce mailing list
cust-security-announce@cisco.com
To unsubscribe, send the command “unsubscribe” in the subject of your message to cust-security-announce-leave@cisco.com