web analytics

Cisco NX-OS Software Image Verification Bypass Vulnerability – Source:sec.cloudapps.cisco.com

Rate this post

Source: sec.cloudapps.cisco.com – Author: .

Cisco NX-OS Software Image Verification Bypass Vulnerability

High

CVE-2024-20397

CWE-284

Summary

Affected Products

  • vulnerability affects the following Cisco products if they are running a release of Cisco NX-OS Software that includes a vulnerable BIOS version, regardless of device configu

    • MDS 9000 Series Multilayer Switches (CSCwh76163)
    • Nexus 3000 Series Switches (CSCwm47438)
    • Nexus 7000 Series Switches (CSCwh76166)
    • Nexus 9000 Series Fabric Switches in ACI mode (CSCwn11901)
    • Nexus 9000 Series Switches in standalone NX-OS mode (CSCwm47438)
    • UCS 6400 Series Fabric Interconnects (CSCwj35846)
    • UCS 6500 Series Fabric Interconnects (CSCwj35846)

    Note: This vulnerability is relevant only for Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that support secure boot technology.

    about which specific Cisco MDS, Nexus, and UCS Fabric Interconnect platforms support secure boot technology and the corresponding Cisco software releases that are vulnerable, see the Fixed Software section of this advisory.

    the Cisco BIOS Version

    To determine which Cisco NX-OS BIOS version is running, log in to the device, use the show version CLI command, and view the BIOS output line, as shown in the following example:

    switch# show version | include BIOS
    BIOS: version 01.11
    BIOS compile time: 06/30/2023

    Only products listed in the Vulnerable Products section of this advisory are known to be affected by this .

Workarounds

  • There are no workarounds that address this vulnerability.

Fixed Software

  • Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

    Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

    The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

    Fixed Releases

    Resolution of this vulnerability requires a BIOS update on affected Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that are running Cisco NX-OS Software.

    To upgrade the BIOS on Cisco MDS and Nexus Standalone platforms, upgrade Cisco NX-OS Software on the affected devices with the install all CLI command or install a specific SMU as indicated in the Fixed Release table that follows. For more information, see the Cisco Nexus 9000 Series NX-OS Software Upgrade and Downgrade Guide, Release 10.4(x).

    For Cisco Nexus 9000 Series Switches in ACI mode, upgrade to a fixed software release as shown in the Fixed Release table that follows. For more information, see the Cisco APIC Installation and ACI Upgrade and Downgrade Guide.

    For Cisco UCS Fabric Interconnect platforms, upgrade to a fixed software release as shown in the Fixed Release table that follows. For more information, see the Cisco UCS Manager Firmware Management Guide, Release 4.3.

    Cisco recommends verifying the BIOS version for each platform after the upgrade has been completed.

    Note: For Cisco MDS and Nexus standalone platforms, if the device was not previously upgraded by using the install all CLI command, the BIOS might not have been upgraded. Even if customers are running a fixed Cisco NX-OS Software release, they are advised to check the BIOS version and use the install all command to complete the BIOS upgrade, if applicable.

    In the following table, the left column lists Cisco MDS, Nexus, and UCS Fabric Interconnect platforms. The middle column indicates the first BIOS version that includes the fix for this vulnerability. The right column indicates the corresponding first Cisco NX-OS Software release or SMU or Cisco UCS Software release that incorporates the fixed BIOS version.

    Cisco MDS 9000 Series Multilayer Switches First Fixed BIOS Version First Fixed Cisco NX-OS Software Release
    MDS 9124V 64-Gbps 24-Port Fibre Channel Switch (DS-C9124V-K9) 1.07 9.4(2)
    MDS 9132T Fibre Channel Switch (DS-C9132T-K9) 1.46 9.4(2)
    MDS 9148T switch (DS-C9148T-K9) 1.07 9.4(2)
    MDS 9148V 64-Gbps 48-Port Fibre Channel Switch (DS-C9148V-K9) 1.07 9.4(2)
    MDS 9220i Multiservice Fabric Switch (DS-C9220I-K9) 1.13 9.4(2)
    MDS 9396T 32-Gbps 96-Port Fibre Channel Switch (DS-C9396T-K9) 1.07 9.4(2)
    MDS 9396V 64-Gbps 96-Port Fibre Channel Switch (DS-C9396V-K9) 1.09 9.4(2)
    MDS 9700 Supervisor-4 Module (DS-X97-SF4-K9) 2.17.0 or
    4.9.0
    9.4(2)
    Cisco Nexus 3000 Series Switches First Fixed BIOS Version First Fixed Cisco NX-OS Software Release
    Nexus 31108PC-V Switch (N3K-C31108PC-V) 4.22 9.3(14) SMU (Dec 2024)
    Nexus 31108TC-V Switch (N3K-C31108TC-V) 4.22 9.3(14) SMU (Dec 2024)
    Nexus 31128PQ Switch (N3K-C31128PQ) 7.70 9.3(14) SMU (Dec 2024)
    Nexus 3132C-Z Switch (N3K-C3132C-Z) 5.51 9.3(13)
    Nexus 3232C Switch (N3K-C3232C) 8.40 9.3(14) SMU (Dec 2024)
    Nexus 3264C-E Switch (N3K-C3264C-E ) 5.51 9.3(13)
    Nexus 3264Q Switch (N3K-C3264Q) 8.40 9.3(14) SMU (Dec 2024)
    Nexus 3408-S Switch (N3K-C3408-S) 5.44 9.3(13)
    Nexus 34200YC-SM Switch (N3K-C34200YC-SM) 5.51 9.3(13)
    Nexus 3432D-S Switch (N3K-C3432D-S) 5.51 9.3(13)
    Nexus 36180YC-R Switch (N3K-C36180YC-R) 1.24 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 3636C-R Switch (N3K-C3636C-R) 1.24 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Cisco Nexus 7000 Series Switches First Fixed BIOS Version First Fixed Cisco NX-OS Software Release
    Nexus 7700 Supervisor 3E (N77-SUP3E) 1.56.0 or
    3.10.0
    8.4(10)
    Cisco Nexus 9000 Series Switches in ACI mode First Fixed BIOS Version First Fixed Cisco NX-OS Software Release
    Nexus 93108TC-EX ACI-Mode Switch (N9K-C93108TC-EX) 7.71 16.0(8f)
    16.1(2)
    Nexus 93108TC-EX-24 ACI-Mode Switch (N9K-C93108TC-EX-24) 7.71 16.0(8f)
    16.1(2)
    Nexus 93108TC-FX ACI-Mode Switch (N9K-C93108TC-FX) 5.51 16.0(4c)
    Nexus 93108TC-FX-24 ACI-Mode Switch (N9K-C93108TC-FX-24) 5.51 16.0(4c)
    Nexus 93108TC-FX3 ACI-Mode Switch (N9K-C93108TC-FX3) 1.05 16.0(8f)
    16.1(2)
    Nexus 93108TC-FX3H ACI-Mode Switch (N9K-C93108TC-FX3H) 5.51 16.0(8f)
    16.1(2)
    Nexus 93108TC-FX3P ACI-Mode Switch (N9K-C93108TC-FX3P) 5.51 16.0(4c)
    Nexus 93120TX ACI-Mode Switch (N9K-C93120TX) 7.70 15.3(2e)
    Nexus 9316D-GX ACI-Mode Switch (N9K-C9316D-GX) 5.51 16.0(4c)
    Nexus 93180LC-EX ACI-Mode Switch (N9K-C93180LC-EX) 5.51 16.0(4c)
    Nexus 93180YC-EX ACI-Mode Switch (N9K-C93180YC-EX) 7.71 16.0(8f)
    16.1(2)
    Nexus 93180YC-EX-24 ACI-Mode Switch (N9K-C93180YC-EX-24) 7.71 16.0(8f)
    16.1(2)
    Nexus 93180YC-FX ACI-Mode Switch (N9K-C93180YC-FX) 5.51 16.0(4c)
    Nexus 93180YC-FX-24 ACI-Mode Switch (N9K-C93180YC-FX-24) 5.51 16.0(4c)
    Nexus 93180YC-FX3 ACI-Mode Switch (N9K-C93180YC-FX3) 1.09 16.0(8f)
    16.1(2)
    Nexus 93180YC-FX3H ACI-Mode Switch (N9K-C93180YC-FX3H) 1.09 16.0(8f)
    16.1(2)
    Nexus 93216TC-FX2 ACI-Mode Switch (N9K-C93216TC-FX2) 5.51 16.0(4c)
    Nexus 93240YC-FX2 ACI-Mode Switch (N9K-C93240YC-FX2) 5.51 16.0(4c)
    Nexus 9332C ACI-Mode Switch (N9K-C9332C) 5.51 16.0(4c)
    Nexus 9332D-GX2B ACI-Mode Switch (N9K-C9332D-GX2B) 1.13 16.0(8f)
    16.1(2)
    Nexus 93360YC-FX2 ACI-Mode Switch (N9K-C93360YC-FX2) 5.51 16.0(4c)
    Nexus 9336C-FX2 ACI-Mode Switch (N9K-C9336C-FX2) 5.51 16.0(4c)
    Nexus 9336C-FX2-E ACI-Mode Switch (N9K-C9336C-FX2-E) 1.07 16.0(4c)
    Nexus 9348D-GX2A ACI-Mode Switch (N9K-C9348D-GX2A) 1.09 16.0(8f)
    16.1(2)
    Nexus 9348GC-FX3 ACI-Mode Switch (N9K-C9348GC-FX3) 1.06 16.0(8f)
    16.1(2)
    Nexus 9348GC-FXP ACI-Mode Switch (N9K-C9348GC-FXP) 5.51 16.0(4c)
    Nexus 93600CD-GX ACI-Mode Switch (N9K-C93600CD-GX) 5.51 16.0(4c)
    Nexus 9364C ACI-Mode Switch (N9K-C9364C) 5.51 16.0(4c)
    Nexus 9364C-GX ACI-Mode Switch (N9K-C9364C-GX) 5.51 16.0(4c)
    Nexus 9364D-GX2A ACI-Mode Switch (N9K-C9364D-GX2A) 1.16 16.0(8f)
    16.1(2)
    Nexus 9500 Supervisor A (N9K-SUP-A) ACI-Mode 8.40 16.0(8f)
    Nexus 9500 Supervisor A+ (N9K-SUP-A+) ACI-Mode 5.51 16.0(4c)
    Nexus 9500 Supervisor B (N9K-SUP-B) ACI-Mode 8.40 16.0(8f)
    Nexus 9500 Supervisor B+ (N9K-SUP-B+) ACI-Mode 5.51 16.0(4c)
    Cisco Nexus 9000 Series Switches in Standalone NX-OS mode First Fixed BIOS Version First Fixed Cisco NX-OS Software Release
    Nexus 92160YC-X Switch (N9K-C92160YC-X) None planned None planned1
    Nexus 92300YC Switch (N9K-C92300YC) 5.51 9.3(13)
    Nexus 9232C Switch (N9K-C9232C) 7.71 9.3(14) SMU (Dec 2024)
    10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 92348GC-X Switch (N9K-C92348GC-X) 5.46 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9236C Switch (N9K-C9236C) 7.71 9.3(14) SMU (Dec 2024)
    Nexus 9272Q Switch (N9K-C9272Q) 7.71 9.3(14) SMU (Dec 2024)
    Nexus 93108TC-EX Switch (N9K-C93108TC-EX) 7.71 9.3(14) SMU (Dec 2024)
    10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    Nexus 93108TC-EX-24 Switch (N9K-C93108TC-EX-24) 7.71 9.3(14) SMU (Dec 2024)
    10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    Nexus 93108TC-FX Switch (N9K-C93108TC-FX) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93108TC-FX-24 Switch (N9K-C93108TC-FX-24) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93108TC-FX3 Switch (N9K-C93108TC-FX3) 1.05 10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 93108TC-FX3H Switch (N9K-C93108TC-FX3H) 5.51 10.3(5)
    10.4(2)
    Nexus 93108TC-FX3P Switch (N9K-C93108TC-FX3P) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93120TX Switch (N9K-C93120TX) 7.70 9.3(14) SMU (Dec 2024)
    Nexus 9316D-GX Switch (N9K-C9316D-GX) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93180LC-EX Switch (N9K-C93180LC-EX) 5.51 9.3(13)
    Nexus 93180YC-EX Switch (N9K-C93180YC-EX) 7.71 9.3(14) SMU (Dec 2024)
    10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    Nexus 93180YC-EX-24 Switch (N9K-C93180YC-EX-24) 7.71 9.3(14) SMU (Dec 2024)
    10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    Nexus 93180YC-FX Switch (N9K-C93180YC-FX) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93180YC-FX-24 Switch (N9K-C93180YC-FX-24) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93180YC-FX3 Switch (N9K-C93180YC-FX3) 1.09 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93180YC-FX3H Switch (N9K-C93180YC-FX3H) 1.09 10.3(5)
    10.4(2)
    Nexus 93180YC-FX3S Switch (N9K-C93180YC-FX3S) 1.09 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93216TC-FX2 Switch (N9K-C93216TC-FX2) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93240YC-FX2 Switch (N9K-C93240YC-FX2) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93240YC-FX2-Z Switch (N9K-C93240YC-FX2-Z) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9332C Switch (N9K-C9332C) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9332D-GX2B Switch (N9K-C9332D-GX2B) 1.13 10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 9332D-H2R Switch (N9K-C9332D-H2R) 1.07 10.4(4) SMU (Dec 2024)
    10.5(1)
    Nexus 93360YC-FX2 Switch (N9K-C93360YC-FX2) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9336C-FX2 Switch (N9K-C9336C-FX2) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9336C-FX2-E Switch (N9K-C9336C-FX2-E) 1.07 10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93400LD-H1 Switch (N9K-C93400LD-H1) 2.10 10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 9348D-GX2A Switch (N9K-C9348D-GX2A) 1.09 10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 9348GC-FX3 Switch (N9K-C9348GC-FX3) 1.06 10.4(2)
    Nexus 9348GC-FX3PH Switch (N9K-C9348GC-FX3PH) 1.06 10.4(2)
    Nexus 9348GC-FXP Switch (N9K-C9348GC-FXP) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9358GY-FXP Switch (N9K-C9358GY-FXP) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 93600CD-GX Switch (N9K-C93600CD-GX) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9364C Switch (N9K-C9364C) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9364C-GX Switch (N9K-C9364C-GX) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9364C-H1 Switch (N9K-C9364C-H1) 1.06 10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 9364D-GX2A Switch (N9K-C9364D-GX2A) 1.16 10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 9408 Switch (N9K-C9408) 1.11 10.3(6) SMU (Dec 2024)
    10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 9500 Supervisor A (N9K-SUP-A) 8.40 9.3(14) SMU (Dec 2024)
    10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 9500 Supervisor A+ (N9K-SUP-A+) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9500 Supervisor B (N9K-SUP-B) 8.40 9.3(14) SMU (Dec 2024)
    10.2(8) SMU (Dec 2024)
    10.3(6) SMU (Dec 2024)
    10.4(4) SMU (Dec 2024)
    10.5(2)
    Nexus 9500 Supervisor B+ (N9K-SUP-B+) 5.51 9.3(13)
    10.2(7)
    10.3(5)
    10.4(2)
    Nexus 9800 Supervisor (N9K-C9800-SUP-A) 1.12 10.3(5)
    10.4(3)
    Cisco UCS Fabric Interconnects First Fixed BIOS Version First Fixed Cisco UCS Software Release
    UCS 64108 Fabric Interconnect (UCS-FI-64108) 5.50 4.1(3n) (Dec 2024)
    4.2(3n) (Jan 2025)
    4.3(4a)
    UCS 6454 Fabric Interconnect (UCS-FI-6454) 5.50 4.1(3n) (Dec 2024)
    4.2(3n) (Jan 2025)
    4.3(4a)
    UCS 6536 Fabric Interconnect (UCS-FI-6536) 1.6 4.3(4a)

    1. Cisco has not released and will not release software updates for Cisco Nexus 92160YC-X Switches because this product has reached the End of Vulnerability/Security Support. Customers are advised to refer to End-of-Sale and End-of-Life Announcement for the Cisco Nexus N9K-C92160YC-X.

    Note: Because this vulnerability is relevant only for Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that support secure boot, legacy Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that do not support secure boot are not listed in the table above.

    The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

  • The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

  • Cisco would like to thankreporting this vulnerability.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Related to This Advisory

URL

Revision History

  • Version Description Section Status Date
    1.0 Initial public release. Final 2024-DEC-04

    Show Less

Original Post url: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-image-sig-bypas-pQDRQvjL?vs_f=Cisco%20Security%20Advisory%26vs_cat=Security%20Intelligence%26vs_type=RSS%26vs_p=Cisco%20NX-OS%20Software%20Image%20Verification%20Bypass%20Vulnerability%26vs_k=1

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post