A high-severity vulnerability in TACACS+ and RADIUS remote authentication for Cisco NX-OS Software might allow an unauthenticated local attacker to force an affected device to unintentionally reload.
NX-OS is a network operating system for Cisco Systems’ Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network devices. It originated from the SAN-OS operating system developed by Cisco for their MDS switches.
With a CVSS score of 7.1, this vulnerability is tagged as CVE-2023-20168. If the exploit is successful, the attacker may be able to trigger an unexpected device reload that would create a denial of service (DoS) attack.
This vulnerability has been fixed by software updates from Cisco. There are no workarounds that address this vulnerability.
Details of the Vulnerability
Cisco stated that if the directed request option for TACACS+ or RADIUS is enabled, this vulnerability arises by incorrect input validation when processing an authentication attempt.
By providing a specially crafted string at the login prompt of a compromised device, an attacker might take advantage of this vulnerability.
“This vulnerability is due to incorrect input validation when processing an authentication attempt if the directed request option is enabled for TACACS+ or RADIUS,” Cisco said in its security advisory.
“A successful exploit could allow the attacker to cause the affected device to unexpectedly reload, resulting in a denial of service (DoS) condition.”
If the directed request option is enabled for TACACS+, RADIUS, or both on a vulnerable edition of Cisco NX-OS Software, it might affect the following Cisco products:
- MDS 9000 Series Multilayer Switches (CSCwe72670)
- Nexus 1000 Virtual Edge for VMware vSphere (CSCwe72673)
- Nexus 1000V Switch for Microsoft Hyper-V (CSCwe72673)
- Nexus 1000V Switch for VMware vSphere (CSCwe72673)
- Nexus 3000 Series Switches (CSCwe72648)
- Nexus 5500 Platform Switches (CSCwe72674)
- Nexus 5600 Platform Switches (CSCwe72674)
- Nexus 6000 Series Switches (CSCwe72674)
- Nexus 7000 Series Switches (CSCwe72368)
- Nexus 9000 Series Switches in standalone NX-OS mode (CSCwe72648)
“This vulnerability can only be exploited over Telnet, which is disabled by default, or over the console management connection. This vulnerability cannot be exploited over SSH connections to the device”, Cisco said.
To Identify Vulnerable Configuration
Use the show running-config | include the directed-request command to see if the directed request option is enabled for TACACS+ or RADIUS.
This vulnerability may affect the device if the command returns tacacs-server directed-request or radius-server directed-request.
Products Not Vulnerable
- Firepower 1000 Series
- Firepower 2100 Series
- Firepower 4100 Series
- Firepower 9300 Security Appliances
- Nexus 9000 Series Fabric Switches in ACI mode
- Secure Firewall 3100 Series
- UCS 6200 Series Fabric Interconnects
- UCS 6300 Series Fabric Interconnects
- UCS 6400 Series Fabric Interconnects
- UCS 6500 Series Fabric Interconnects
To address this issue, Cisco has published the following SMUs.
Customers may get the SMUs from Cisco.com’s Software Centre.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.