Security Alert (A16-10-01): Multiple Vulnerabilities in Cisco Products
01 October 2016
Cisco has released five security advisories fixing a number of vulnerabilities in Cisco NX-OS Software. A remote attacker could exploit the vulnerabilities by sending maliciously crafted BGP update message, DHCPv4 or OTV UDP packet to the affected device.
Multilayer Director Switches
Nexus 1000V Series Switches
Nexus 2000 Series Fabric Extenders
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 4000 Series Switches
Nexus 5000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches (in ACI mode or NX-OS mode)
The complete list of vulnerable systems can be found in the "Affected Products" section of individual Cisco Security Advisory available at:
2. Cisco Nexus 7000 and 7700 Series Switches Overlay Transport Virtualization Buffer Overflow Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-otv
3. Cisco NX-OS Border Gateway Protocol Denial of Service Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-bgp
4. Cisco NX-OS Software Crafted DHCPv4 Packet Denial of Service Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-dhcp1
5. Cisco NX-OS Software Malformed DHCPv4 Packet Denial of Service Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-dhcp2
Depending on the vulnerability exploited, a successful attack could cause arbitrary code execution, security restrictions bypass, denial-of-service condition, or reload of a vulnerable device.
Patches for affected systems are now available. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the available patches, please refer to the section "Fixed Software" of corresponding security advisory at vendor's website.
Users should contact their product support vendors for the fixes and assistance.