-
A vulnerability exists in Cisco Nexus 5000 and 3000 Series Switches that may allow traffic to bypass deny statements in access control lists (ACLs) that are configured on the device.
Cisco has released software updates that address this vulnerability.
A workaround is available to mitigate this vulnerability.
This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110907-nexus.
-
Cisco Nexus 5000 and 3000 Series Switches are affected by this vulnerability when a remark is configured before a deny statement on an ACL.
Vulnerable Products
All Cisco Nexus 5000 NX-OS Software Releases 5.0(2) and 5.0(3) prior to 5.0(3)N2(1) are affected by this vulnerability.
Note: Cisco Nexus 5000 NX-OS Software Releases 4.x are not affected by this vulnerability.
All Cisco Nexus 3000 NX-OS Software Releases prior to 5.0(3)U1(2a) or 5.0(3)U2(1) are affected by this vulnerability.
The effects of this vulnerability are experienced when an ACL remark is configured prior to any deny statement on the ACL. A remark is a comment about the configured access control entry (ACE).
The following example shows how to create a remark in an IPv4 ACL and display the results:
ip access-list acl-ipv4-01 remark this ACL denies the 10.1.1.0/24 access to the 10.1.2.0/24 network deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
Note: All the ACEs after a remark are affected. This includes the default implicit deny at the end of the ACL. IPv4, IPv6 and MAC ACLs are affected. Quality of service (QoS) classification and route-map ACLs are not affected by this vulnerability.
Determining Software Version
To determine the Cisco NX-OS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The following example shows how to display the version information for the kickstart and system image running on a device that runs Cisco NX-OS Release 5.0(2)N2(1):
switch# show version Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2010, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software BIOS: version 1.3.0 loader: version N/A kickstart: version 5.0(2)N2(1) [build 5.0(2)N2(1)] system: version 5.0(2)N2(1) [build 5.0(2)N2(1)] !--- output truncated
Products Confirmed Not Vulnerable
The following Cisco products are confirmed not to be affected by this vulnerability.
- Cisco Nexus 7000 Series Switches
- Cisco Nexus 4000 Series Switches
- Cisco Nexus 2000 Series Switches
- Cisco Nexus 1000V Series Switches
- Cisco MDS 9000 Software
- Cisco Unified Computing System
No other Cisco products are currently known to be affected by this vulnerability.
-
An ACL is an ordered set of rules that filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the device determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first matching rule determines whether the packet is permitted or denied. If there is no match, the device applies the applicable implicit rule. The device continues processing packets that are permitted and drops packets that are denied.
A vulnerability in Cisco Nexus 5000 and 3000 Series Switches may allow traffic to bypass deny statements in IP, VLAN, or MAC ACLs that are configured in the device. This behavior is experienced when an ACL remark is configured prior to any deny statement on such ACL.
Note: All the ACEs after a remark are affected. This includes the default implicit deny at the end of the ACL. IPv4, IPv6 and MAC ACLs are affected. QoS classification and route-map ACLs are not affected by this vulnerability.
This vulnerability is documented in Cisco bug IDs CSCto09813 ( registered customers only) and CSCtr61490 ( registered customers only) ; and has been assigned CVE ID CVE-2011-2581.
-
The effects of this vulnerability are experienced when an ACL remark is configured prior to any deny statement on the ACL. As a workaround, remarks can be removed from the configuration to mitigate this vulnerability. ACL remarks can be removed using the no remark command under each configured ACL.
-
When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance.
Cisco Nexus 3000 NX-OS Software
This vulnerability has been corrected in Cisco Nexus 3000 NX-OS Software Release 5.0(3)U1(2a) or 5.0(3)U2(1) and later.
Cisco Nexus 3000 NX-OS Software can be downloaded from the following link:http://www.cisco.com/cisco/software/find.html?q=nx-os
Cisco Nexus 5000 NX-OS Software
This vulnerability has been corrected in Cisco Nexus 5000 NX-OS Software Releases 5.0(3)N2(1) and later.
Cisco Nexus 5000 NX-OS Software can be downloaded from the following link:http://www.cisco.com/cisco/software/find.html?q=nx-os
-
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
This vulnerability was found during the troubleshooting of a customer service request.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.0
2011-September-07
Initial public release.
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.