Cisco has released fixes for 34 flaws in its software, including 24 that affect its FXOS software for Firepower firewalls and NX-OS software for Nexus switches.
Cisco’s June updates include fixes for five critical arbitrary code execution vulnerabilities affecting FXOS and NX-OS and 19 high-rated flaws affecting the software.
A dozen of them affect both FXOS and NX-OS, while the remaining only affect NX-OS. Cisco says that none of the flaws affects its IOS or IOS XE software.
Four of the critical flaws affect FXOS and NX-OS Cisco Fabric Services, while the fifth one affects the NX-API feature of NX-OS. All have a CVSS v3 score of 9.8 out of a maximum of 10.
The four affecting Cisco Fabric Services are because FXOS/NX-OS “insufficiently validates header values in Cisco Fabric Services packets”.
Cisco Fabric Services facilitate distribution and synchronization of configuration data between Cisco devices on the same network.
Some of the flaws allow an unauthenticated, remote attack to execute arbitrary code and one allows an attacker to do so as root.
Multiple switches are vulnerable if they’ve been configured to use Cisco Fabric Services, including its Nexus 2000 series through to Nexus 9000 series switches, as well as Cisco’s Firepower 4100 Series Next-Gen Firewalls and other hardware.
The insufficient input validation may occur when FXOS and NX-OS process Cisco Fabric Services packets received during distribution and synchronization.
There are various ways to exploit each of the flaws, depending on what Cisco Fabric Services distribution types have been configured.
For example, if Fibre Channel ports are configured as a distribution type for a device, the attack could occur via Fibre Channel over Ethernet (FCoE) or Fibre Channel over IP (FCIP).
Cisco has already rolled out fixes in some releases of FXOS and NX-OS. It has provided tables for each affected switch and firewall, detailing the first fixed release for each specific vulnerability, as well as the first fixed release that covers a collection of 19 flaws detailed in a separate ‘event response’ advisory. All the flaws detailed in the separate advisory are high-rated flaws.
Cisco posted a blog this week explaining why it often fixes bugs in IOS and NX-OS releases before disclosing them in an advisory.
It’s a practice that appears to cause confusion for customers wondering why it hasn’t told them fixed code has been available for several months before it discloses them. Cisco’s answer is that some flaws affect more than 50 versions of its software.
“There have been some questions as to why creating fixes and releasing updates can take several weeks, or sometimes even months, before an advisory is published,” Cisco’s Customer Assurance Security Programs team wrote.
“In some cases, there is a large number of supported software versions to be updated. The number of affected versions that will be updated can range from single digits to nearly 50 or more. We are committed to issuing fixes for every one of those supported versions.”
“If we disclosed the vulnerability after only fixing one release, we would unnecessarily expose all customers running other releases to potential exploitation once details about the attack itself became public.”
There are also 10 medium-severity flaws, including one that affects some WebEx endpoints due to an already disclosed flaw in Nvidia’s Tegra TX1 chips.