A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user. This vulnerability is only exploitable over IPv6; IPv4 is not vulnerable.
Recent assessments:
bcook-r7 at May 09, 2019 5:57pm UTC reported:
This requires IPv6 and particular settings to be enabled
Waiting for machine to boot. This may take a few minutes…
default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key
It seems you have to configure the virtual switch with a virtual serial port.
## VM Contents:
There are only a few EXT3 filesystems that have useful data in the VMDK image. I think the most interesting bits are going to be inside of nxos.9.2.2.bin which is perhaps decoded or interpreted by the kernel or bootloader. The boot screen in the VM looks like it uses a modified version of GRUB and the Linux kernel, though my current environment has insufficient memory to make it actually boot.
> <fs>
add-ro ## Vulnerable targets:
It’s not clear if the 9000v virtual switch is vulnerable but that is the easiest to target for now, since it does not need special hardware.
The setup is here: <https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/nx-osv/configuration/guide/b_Cisco_Nexus_9000v/b_Cisco_Nexus_9000v_chapter_011.html>
Downloading the ‘Vagrant’ image and running it with a basic Vagrantfile showed this output, which hung forever:
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
default: Adapter 1: nat
==> default: Forwarding ports...
default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: box-disk1.vmdk
><fs> run
><fs> list-filesystems
/dev/sda1: vfat
/dev/sda2: ext3
/dev/sda3: ext3
/dev/sda4: ext3
/dev/sda5: ext3
/dev/sda6: e
boot
cfglabel.sysmgr
debug
dme
licenses
linux
log
lost+foundxt3
/dev/sda7: ext3
><fs> mount /dev/sda3 /
><fs> ls /
lost+found
><fs> mount /dev/sda1 /
><fs> ls /
EFI
><fs> mount /dev/sda2 /
><fs> ls /
lost+found
><fs> mount /dev/sda3 /
><fs> ls /
lost+found
><fs> mount /dev/sda4 /
><fs> ls /
nxos.9.2.2.bin
><fs> mount /dev/sda5 /
><fs> ls /
lost+found
><fs> mount /dev/sda6 /
><fs> ls /
ascii
bin
no-erase
><fs> mount /dev/sda7 /
><fs> ls /
lost+found
I copied out the .bin file, which appears to be another filesystem.
><fs> mount /dev/sda4 /
><fs> copy-out /nxos.9.2.2.bin .
$ file nxos.9.2.2.bin
nxos.9.2.2.bin: DOS/MBR boot sector
binwalk ./nxos.9.2.2.bin
--------------------------------------------------------------------------------
0 0x0 Netboot image, mode 2
1024 0x400 Microsoft executable, portable (PE)
17844 0x45B4 gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
2010881 0x1EAF01 MySQL ISAM index file Version 7
6283776 0x5FE200 gzip compressed data, maximum compression, from Unix, last modified: 2018-11-05 06:20:17
asoto-r7 at July 24, 2019 8:37pm UTC reported:
This requires IPv6 and particular settings to be enabled
Waiting for machine to boot. This may take a few minutes…
default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key
It seems you have to configure the virtual switch with a virtual serial port.
## VM Contents:
There are only a few EXT3 filesystems that have useful data in the VMDK image. I think the most interesting bits are going to be inside of nxos.9.2.2.bin which is perhaps decoded or interpreted by the kernel or bootloader. The boot screen in the VM looks like it uses a modified version of GRUB and the Linux kernel, though my current environment has insufficient memory to make it actually boot.
> <fs>
add-ro ## Vulnerable targets:
It’s not clear if the 9000v virtual switch is vulnerable but that is the easiest to target for now, since it does not need special hardware.
The setup is here: <https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/nx-osv/configuration/guide/b_Cisco_Nexus_9000v/b_Cisco_Nexus_9000v_chapter_011.html>
Downloading the ‘Vagrant’ image and running it with a basic Vagrantfile showed this output, which hung forever:
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
default: Adapter 1: nat
==> default: Forwarding ports...
default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: box-disk1.vmdk
><fs> run
><fs> list-filesystems
/dev/sda1: vfat
/dev/sda2: ext3
/dev/sda3: ext3
/dev/sda4: ext3
/dev/sda5: ext3
/dev/sda6: e
boot
cfglabel.sysmgr
debug
dme
licenses
linux
log
lost+foundxt3
/dev/sda7: ext3
><fs> mount /dev/sda3 /
><fs> ls /
lost+found
><fs> mount /dev/sda1 /
><fs> ls /
EFI
><fs> mount /dev/sda2 /
><fs> ls /
lost+found
><fs> mount /dev/sda3 /
><fs> ls /
lost+found
><fs> mount /dev/sda4 /
><fs> ls /
nxos.9.2.2.bin
><fs> mount /dev/sda5 /
><fs> ls /
lost+found
><fs> mount /dev/sda6 /
><fs> ls /
ascii
bin
no-erase
><fs> mount /dev/sda7 /
><fs> ls /
lost+found
I copied out the .bin file, which appears to be another filesystem.
><fs> mount /dev/sda4 /
><fs> copy-out /nxos.9.2.2.bin .
$ file nxos.9.2.2.bin
nxos.9.2.2.bin: DOS/MBR boot sector
binwalk ./nxos.9.2.2.bin
--------------------------------------------------------------------------------
0 0x0 Netboot image, mode 2
1024 0x400 Microsoft executable, portable (PE)
17844 0x45B4 gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
2010881 0x1EAF01 MySQL ISAM index file Version 7
6283776 0x5FE200 gzip compressed data, maximum compression, from Unix, last modified: 2018-11-05 06:20:17
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 1