CVE-2014-3295

Name of the Vulnerable Software and Affected Versions Cisco NX-OS version 6.2(2a) and earlier

Description The issue allows remote attackers to bypass authentication and cause a denial of service, including group-member state modification and traffic blackholing, via malformed HSRP packets. This is due to incorrect parsing of malformed HSRP packets. An attacker could exploit this by sending malformed packets to bypass HSRP authentication, affecting the state of active HSRP group members and causing them to go to SPEAK state, which leads to black holing of traffic and a denial of service condition. Although an attacker does not need to authenticate to a targeted device to exploit this, they must be on the same collision or broadcast domain of the targeted device.

Recommendations For Cisco NX-OS version 6.2(2a) and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the HSRP protocol to minimize the risk of exploitation.