Guest

Preview Tool

Cisco Bug: CSCvi11291 - Cisco Nexus 9000 Fabric Switches ACI Mode Border Leaf Endpoint Learning Vulnerability

Last Modified

Dec 08, 2019

Products (22)

  • Cisco Nexus 9000 Series Switches
  • Cisco Nexus 9516 Switch
  • Cisco Nexus 9396PX Switch
  • Cisco Nexus 9396TX Switch
  • Cisco Nexus 93108TC-FX Switch
  • Cisco Nexus 93120TX Switch
  • Cisco Nexus 9504 Switch
  • Cisco Nexus 93108TC-EX Switch
  • Cisco Nexus 9372TX-E Switch
  • Cisco Nexus 9508 Switch
View all products in Bug Search Tool Login Required

Known Affected Releases

12.3(1h) 13.1(2m) 13.1(2o) 13.1(2p)

Description (partial)

Symptom:
A vulnerability within the Endpoint Learning feature of Cisco Nexus 9000 Series Switches running in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an endpoint device in certain circumstances.

The vulnerability is due to improper endpoint learning when packets are received on a specific port from outside the ACI fabric and destined to an endpoint located on a border leaf when Disable Remote Endpoint Learning has been enabled. This can result in a Remote (XR) entry being created for the impacted endpoint that will become stale if the endpoint migrates to a different port or leaf switch. This results in traffic not reaching the impacted endpoint until the Remote entry can be relearned by another mechanism.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-nexus-aci-dos

Conditions:
At the time of publication, this vulnerability affected Cisco Nexus 9000 Series Fabric Switches in ACI mode that were running Cisco NX-OS ACI Software releases earlier than 12.2(4M), 13.1(2u), or 13.2(1l).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.