PT-2017-16155 · Cisco · Firepower 4100 Series Next-Generation Firewalls+21

Published

2017-10-18

·

Updated

2023-04-20

·

CVE-2017-3883

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Cisco FXOS and NX-OS System Software (affected versions not specified) Firepower 4100 Series Next-Generation Firewall (affected versions not specified) Firepower 9300 Security Appliance (affected versions not specified) Multilayer Director Switches (affected versions not specified) Nexus 1000V Series Switches (affected versions not specified) Nexus 1100 Series Cloud Services Platforms (affected versions not specified) Nexus 2000 Series Switches (affected versions not specified) Nexus 3000 Series Switches (affected versions not specified) Nexus 3500 Platform Switches (affected versions not specified) Nexus 5000 Series Switches (affected versions not specified) Nexus 5500 Platform Switches (affected versions not specified) Nexus 5600 Platform Switches (affected versions not specified) Nexus 6000 Series Switches (affected versions not specified) Nexus 7000 Series Switches (affected versions not specified) Nexus 7700 Series Switches (affected versions not specified) Nexus 9000 Series Switches in NX-OS mode (affected versions not specified) Nexus 9500 R-Series Line Cards and Fabric Modules (affected versions not specified) Unified Computing System (UCS) 6100 Series Fabric Interconnects (affected versions not specified) Unified Computing System (UCS) 6200 Series Fabric Interconnects (affected versions not specified) Unified Computing System (UCS) 6300 Series Fabric Interconnects (affected versions not specified)
Description A vulnerability in the authentication, authorization, and accounting (AAA) implementation could allow an unauthenticated, remote attacker to cause an affected device to reload. The vulnerability occurs because AAA processes prevent the NX-OS System Manager from receiving keepalive messages when an affected device receives a high rate of login attempts, such as in a brute-force login attack. System memory can run low on the FXOS devices under the same conditions, which could cause the AAA process to unexpectedly restart or cause the device to reload. An attacker could exploit this vulnerability by performing a brute-force login attack against a device that is configured with AAA security services. A successful exploit could allow the attacker to cause the affected device to reload.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider configuring the login block-for CLI command to prevent this vulnerability, but note that this may not function as desired in all cases. Restrict access to devices configured with AAA security services to minimize the risk of exploitation. Avoid using devices that are configured with AAA security services until the issue is resolved. Cisco has released software updates that address this vulnerability, but the specific versions are not specified. There are workarounds that address this vulnerability, but the details are not provided.

Allocation of Resources Without Limits

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2017-3883

Affected Products

Cisco Fxos
Cisco Nexus
Firepower 4100 Series Next-Generation Firewalls
Firepower 9300 Security Appliance
Multilayer Director Switches
Nx-Os System
Nexus 1000V Series Switches
Nexus 1100 Series Cloud Services Platforms
Nexus 2000 Series Switches
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 5000 Series Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches
Nexus 9500 R-Series Line Cards/Fabric Modules
Unified Computing System (Ucs) 6100 Series Fabric Interconnects
Unified Computing System (Ucs) 6200 Series Fabric Interconnects
Unified Computing System (Ucs) 6300 Series Fabric Interconnects