Very High
Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Default SSH Key Vulnerability
Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Default SSH Key Vulnerability
Description
A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user. This vulnerability is only exploitable over IPv6; IPv4 is not vulnerable.
Add Assessment
Technical Analysis
This requires IPv6 and particular settings to be enabled
Waiting for machine to boot. This may take a few minutes…
default: SSH address: 127.0.0.1:2222 default: SSH username: vagrant default: SSH auth method: private key
It seems you have to configure the virtual switch with a virtual serial port. ## VM Contents: There are only a few EXT3 filesystems that have useful data in the VMDK image. I think the most interesting bits are going to be inside of nxos.9.2.2.bin which is perhaps decoded or interpreted by the kernel or bootloader. The boot screen in the VM looks like it uses a modified version of GRUB and the Linux kernel, though my current environment has insufficient memory to make it actually boot.
<fs>add-ro ## Vulnerable targets:
It’s not clear if the 9000v virtual switch is vulnerable but that is the easiest to target for now, since it does not need special hardware.
The setup is here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/nx-osv/configuration/guide/b_Cisco_Nexus_9000v/b_Cisco_Nexus_9000v_chapter_011.html
NXOSV VM download
Downloading the ‘Vagrant’ image and running it with a basic Vagrantfile showed this output, which hung forever:
Bringing machine 'default' up with 'virtualbox' provider... ==> default: Clearing any previously set forwarded ports... ==> default: Clearing any previously set network interfaces... ==> default: Preparing network interfaces based on configuration... default: Adapter 1: nat ==> default: Forwarding ports... default: 22 (guest) => 2222 (host) (adapter 1) ==> default: Booting VM... ==> default: box-disk1.vmdk ><fs> run ><fs> list-filesystems /dev/sda1: vfat /dev/sda2: ext3 /dev/sda3: ext3 /dev/sda4: ext3 /dev/sda5: ext3 /dev/sda6: e boot cfglabel.sysmgr debug dme licenses linux log lost+foundxt3 /dev/sda7: ext3 ><fs> mount /dev/sda3 / ><fs> ls / lost+found ><fs> mount /dev/sda1 / ><fs> ls / EFI ><fs> mount /dev/sda2 / ><fs> ls / lost+found ><fs> mount /dev/sda3 / ><fs> ls / lost+found ><fs> mount /dev/sda4 / ><fs> ls / nxos.9.2.2.bin ><fs> mount /dev/sda5 / ><fs> ls / lost+found ><fs> mount /dev/sda6 / ><fs> ls / ascii bin no-erase ><fs> mount /dev/sda7 / ><fs> ls / lost+found
I copied out the .bin file, which appears to be another filesystem.
><fs> mount /dev/sda4 / ><fs> copy-out /nxos.9.2.2.bin . $ file nxos.9.2.2.bin nxos.9.2.2.bin: DOS/MBR boot sector
binwalk ./nxos.9.2.2.bin -------------------------------------------------------------------------------- 0 0x0 Netboot image, mode 2 1024 0x400 Microsoft executable, portable (PE) 17844 0x45B4 gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date) 2010881 0x1EAF01 MySQL ISAM index file Version 7 6283776 0x5FE200 gzip compressed data, maximum compression, from Unix, last modified: 2018-11-05 06:20:17
Technical Analysis
We still haven’t seen a PoC for this, likely because these switches are expensive and the firmware is paywalled. Further, the advisory returns a 503 right now, so here’s the archive.org link: https://web.archive.org/web/20190521004255/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-nexus9k-sshkey
It’s interesting that this needs to be exploited over IPv6. However, it’s likely that a foothold in the target network or a tunnel through a compromised machine would allow access to this switch. These switches are used as part of SDN-based datacenters, so getting a foothold on a compromised server might allow an attacker to pivot to another subnet, VLAN, or cloud.
CVSS V3 Severity and Metrics
General Information
Vendors
- cisco
Products
- nexus 93108tc-ex firmware 14.0(3d),
- nexus 93120tx firmware 14.0(3d),
- nexus 93128tx firmware 14.0(3d),
- nexus 93180yc-ex firmware 14.0(3d),
- nexus 9332pq firmware 14.0(3d),
- nexus 9372px firmware 14.0(3d),
- nexus 9372tx firmware 14.0(3d),
- nexus 9396px firmware 14.0(3d),
- nexus 9396tx firmware 14.0(3d),
- nexus 9500 firmware 14.0(3d),
- nexus 9504 firmware 14.0(3d),
- nexus 9508 firmware 14.0(3d),
- nexus 9516 firmware 14.0(3d)
References
