How to Fix CVE-2021-1588- A Denial of Service Vulnerability in Cisco NX-OS Software

The network appliances manufacturer giant Cisco published an advisory on 25 August 2022 (Updated on 02 September 2022) in which Cisco detailed a Denial of Service vulnerability in Cisco NX-OS Software of Nexus Series Switches. The vulnerability tracked as CVE-2022-1588 is a High severity vulnerability with a CVSS score of 8.6 out of 10. The vulnerability is actually lice in the MPLS Operation, Administration, and Maintenance (OAM) feature of Cisco NX-OS Software that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on affected device models. Since this flaw allows the attacker to create a Denial of service condition in the affected switches just by crafting a malicious MPLS echo-request or echo-reply packets, it is most important to fix the CVE-2022-1588 vulnerability. Let’s see how to fix CVE-2021-1588, Denial of Service Vulnerability in Cisco NX-OS Software, in this post.

A short note about Cisco NX-OS Software:

Cisco NX-OS Software is a network operating system for the Cisco Nexus family of data center switches. It is based on the Cisco IOS XR software architecture and provides high availability, modularity, scalability, and serviceability. Cisco NX-OS Software also supports other key data center technologies, such as Fibre Channel over Ethernet (FCoE), Multiprotocol Label Switching (MPLS), and virtual port channels (vPCs). Cisco NX-OS offers comprehensive features and functions that are designed to meet the challenges of today’s modern data center networks.

Cisco NX-OS Software has been loaded with some features such as:

Summary of CVE-2022-1588:

This is a Denial of Service vulnerability in Cisco NX-OS Software, a network operating system for the Cisco Nexus family of data center switches. This flaw is due to improper processing of MPLS echo-request or echo-reply packet. This vulnerability could allow attackers to exploit this vulnerability by sending malicious MPLS echo-request or echo-reply packets to an interface that is enabled for MPLS forwarding on the affected device. 

The flaw allows an unauthenticated, remote attacker to cause the MPLS OAM process to crash and restart multiple times, eventually a Denial of Service condition on the victim device. However, to exploit the flaw, the attacker must have either one of the things: 1. Access to the MPLS domain of the victim device. Or 2. Access to MPLS echo-request or echo-reply packets (UDP packets run on port no: 3503) forwarded through the MPLS network under specific network conditions.

Technical Details of CVE-2021-1588- A Denial of Service Vulnerability in Cisco NX-OS Software

To know about the vulnerability, it is required to know about MPLS OAM. MPLS OAM is a mechanism used to monitor and manage MPLS networks. It can be used to detect errors in the network and to diagnose problems, to verify the connectivity and performance of a label switched path (LSP). MPLS OAM provides two main functions: MPLS ping and MPLS traceroute. These functions stand on the exchange of MPLS echo-request and echo-reply packets (UDP packets runs on port no: 3503).

“This vulnerability is due to improper input validation when an affected device processes these packet types. An attacker could exploit this vulnerability by generating malicious MPLS echo-request or echo-reply packets in a way that would allow them to reach an interface enabled for MPLS forwarding on the affected device. To achieve this, the attacker must have access to the same MPLS domain as the affected device or be able to get these types of UDP packets forwarded through the MPLS network under specific network conditions.”– CISCO

Cisco Switches Affected By CVE-2021-1588

Cisco advisory says that this Denial of Service Vulnerability affects the following Cisco Nexus Switches if they are running a vulnerable version of Cisco NX-OS Software with MPLS OAM feature enabled on them. Note: if the MPLS OAM feature is disabled on the switches, they are considered safe from exploiting the flaw. 

How To Check Your Cisco Nexus Switches Are Vulnerable To CVE-2021-1588?

This vulnerability affects only the devices on which the MPLS OAM feature is enabled. You need to check that the MPLS OAM feature is enabled on your Cisco switches. Let’s see how to check MPLS OAM feature is enabled on your appliances.

On Nexus 3000 and 9000 Series Switches, the MPLS OAM feature is disabled by default. Where on Nexus 7000 Series Switches, the MPLS OAM feature is disabled by default either. However, it is automatically enabled if any MPLS feature is enabled on the device. 

To verify the status of the MPLS OAM feature on these Cisco switches, Issue these commands on the command line interface (CLI):

nxos# show feature | include mpls_oam

2. Nexus 7000 Series Switches:

nxos# show running-config | include "feature mpls"

3. Nexus 7000 Series Switches running Cisco NX-OS Software Release 8.3(2) (Global configuration mode):

nxos# show running-config all | include "no mpls oam"

4. Nexus 7000 Series Switches running Cisco NX-OS Software Release 8.4(1) or later (Global configuration mode):

nxos# ping mpls

Cisco Software Checker Utility

Cisco has published Cisco Software Checker service to search for Cisco Security Advisories for specific Cisco IOS, IOS XE, NX-OS, and NX-OS in ACI Mode software releases. We recommend to use this awesome tool from Cisco to ensure no advisories are skipped to action against the discovered known vulnerabilities.

For Example: if you want to check the advisories for Cisco Nexus 3000 Nexus Switch running 7.0 NX-OS. Select your Cisco Operating System, NX-OS Platform, NX-OS release versions from the dropdown. Click Continue button. Select the Advisory Impact Rating then click Continue button again. You will see a list of Security Advisories That Affect This Release.

Cisco Software Checker Utility

How to Fix CVE-2021-1588- A Denial of Service Vulnerability in Cisco NX-OS Software?

Since the vulnerability lice in the MPLS OAM feature in vulnerable versions of Cisco NX-OS, attackers could exploit the flaw only if the MPLS OAM feature is enabled. The MPLS OAM feature is disabled by default on the Nexus 3000 and 9000 Series Switches. However, the feature is disabled by default on Nexus 3000 series switches too, but it is automatically enabled if any MPLS feature is enabled on the device.

We suggest validating that the MPLS OAM feature is disabled on all the affected devices. If found enabled, disable it until it can be upgraded since disabling the MPLS OAM feature could remove the exploit vector and protect your device to a certain extent.

Administrators can disable the MPLS OAM feature by using the Cisco NX-OS CLI global configuration mode command no feature mpls oam on Nexus 3000 Series Switches and Nexus 9000 Series Switches, or by using no mpls oam on Cisco Nexus 7000 Series Switches.– CISCO

Cisco has addressed the CVE-2022-1588 vulnerability by releasing the following SMUs, a package file containing patches for vulnerabilities. Customers are asked to download the SMUs from the Software Center. Visit Cisco Nexus 3000 Series Switches or Cisco Nexus 9000 Series Switches to learn about downloading and installing these SMUs. 

Cisco Switcher Not-Affected By CVE-2021-1588:

Cisco clearly says that these models are safe and not affected by the CVE-2021-1588 flaw. Administrators can ignore actioning on these models.

We hope this post would help you know how to fix CVE-2021-1588, Denial of Service Vulnerability in Cisco NX-OS Software. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.

You may also like these articles: