Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Insecure Fabric Authentication Vulnerability

2019-05-0116:00:00

tools.cisco.com

EPSS

0.002

Percentile

60.9%

JSON

A vulnerability in the Transport Layer Security (TLS) certificate validation functionality of Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to perform insecure TLS client authentication on an affected device.

The vulnerability is due to insufficient TLS client certificate validations for certificates sent between the various components of an ACI fabric. An attacker who has possession of a certificate that is trusted by the Cisco Manufacturing CA and the corresponding private key could exploit this vulnerability by presenting a valid certificate while attempting to connect to the targeted device. An exploit could allow the attacker to gain full control of all other components within the ACI fabric of an affected device.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-aci-insecure-fabric [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-aci-insecure-fabric”]

Affected configurations

Vulners

Node

cisconx_osMatch12.2

cisconx_osMatchany

cisconx_osMatch12.2\(2g\)

cisconx_osMatchany

VendorProductVersionCPE
cisconx_os12.2cpe:2.3:o:cisco:nx_os:12.2:*:*:*:*:*:*:*
cisconx_osanycpe:2.3:o:cisco:nx_os:any:*:*:*:*:*:*:*
cisconx_os12.2(2g)cpe:2.3:o:cisco:nx_os:12.2\(2g\):*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cisco	nx_os	12.2	cpe:2.3:o:cisco:nx_os:12.2:::::::*
cisco	nx_os	any	cpe:2.3:o:cisco:nx_os:any:::::::*
cisco	nx_os	12.2(2g)	cpe:2.3:o:cisco:nx_os:12.2\(2g\):::::::*