Attacker Value
Very High
(2 users assessed)
Exploitability
Very Low
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Default SSH Key Vulnerability

Disclosure Date: May 03, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user. The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user. This vulnerability is only exploitable over IPv6; IPv4 is not vulnerable.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very Low
Technical Analysis

This requires IPv6 and particular settings to be enabled

Waiting for machine to boot. This may take a few minutes…

default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key

It seems you have to configure the virtual switch with a virtual serial port.

## VM Contents:

There are only a few EXT3 filesystems that have useful data in the VMDK image. I think the most interesting bits are going to be inside of nxos.9.2.2.bin which is perhaps decoded or interpreted by the kernel or bootloader.  The boot screen in the VM looks like it uses a modified version of GRUB and the Linux kernel, though my current environment has insufficient memory to make it actually boot.

<fs> add-ro ## Vulnerable targets:

It’s not clear if the 9000v virtual switch is vulnerable but that is the easiest to target for now, since it does not need special hardware.

The setup is here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/nx-osv/configuration/guide/b_Cisco_Nexus_9000v/b_Cisco_Nexus_9000v_chapter_011.html

NXOSV VM download

Downloading the ‘Vagrant’ image and running it with a basic Vagrantfile showed this output, which hung forever:

Bringing machine 'default' up with 'virtualbox' provider...
==> default: Clearing any previously set forwarded ports...
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
==> default: box-disk1.vmdk
><fs> run
><fs> list-filesystems
/dev/sda1: vfat
/dev/sda2: ext3
/dev/sda3: ext3
/dev/sda4: ext3
/dev/sda5: ext3
/dev/sda6: e
boot
cfglabel.sysmgr
debug
dme
licenses
linux
log
lost+foundxt3
/dev/sda7: ext3
><fs> mount /dev/sda3 /
><fs> ls /
lost+found
><fs> mount /dev/sda1 /
><fs> ls /
EFI
><fs> mount /dev/sda2 /
><fs> ls /
lost+found
><fs> mount /dev/sda3 /
><fs> ls /
lost+found
><fs> mount /dev/sda4 /
><fs> ls /
nxos.9.2.2.bin
><fs> mount /dev/sda5 /
><fs> ls /
lost+found
><fs> mount /dev/sda6 /
><fs> ls /
ascii
bin
no-erase
><fs> mount /dev/sda7 /
><fs> ls /
lost+found

I copied out the .bin file, which appears to be another filesystem.

><fs> mount /dev/sda4 /
><fs> copy-out /nxos.9.2.2.bin .

$ file nxos.9.2.2.bin
nxos.9.2.2.bin: DOS/MBR boot sector
binwalk ./nxos.9.2.2.bin
--------------------------------------------------------------------------------
0             0x0             Netboot image, mode 2
1024          0x400           Microsoft executable, portable (PE)
17844         0x45B4          gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
2010881       0x1EAF01        MySQL ISAM index file Version 7
6283776       0x5FE200        gzip compressed data, maximum compression, from Unix, last modified: 2018-11-05 06:20:17
0
Technical Analysis

We still haven’t seen a PoC for this, likely because these switches are expensive and the firmware is paywalled. Further, the advisory returns a 503 right now, so here’s the archive.org link: https://web.archive.org/web/20190521004255/https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-nexus9k-sshkey

It’s interesting that this needs to be exploited over IPv6. However, it’s likely that a foothold in the target network or a tunnel through a compromised machine would allow access to this switch. These switches are used as part of SDN-based datacenters, so getting a foothold on a compromised server might allow an attacker to pivot to another subnet, VLAN, or cloud.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • cisco

Products

  • nexus 93108tc-ex firmware 14.0(3d),
  • nexus 93120tx firmware 14.0(3d),
  • nexus 93128tx firmware 14.0(3d),
  • nexus 93180yc-ex firmware 14.0(3d),
  • nexus 9332pq firmware 14.0(3d),
  • nexus 9372px firmware 14.0(3d),
  • nexus 9372tx firmware 14.0(3d),
  • nexus 9396px firmware 14.0(3d),
  • nexus 9396tx firmware 14.0(3d),
  • nexus 9500 firmware 14.0(3d),
  • nexus 9504 firmware 14.0(3d),
  • nexus 9508 firmware 14.0(3d),
  • nexus 9516 firmware 14.0(3d)

Additional Info

Technical Analysis