Cisco warns of critical SSH error in Nexus 9000 fabric switches

Cisco has announced that its Nexus 9000 fabric switches have a critical error, allowing anyone to remotely connect to a vulnerable device via the Secure Shell (SSH). The device can then be managed with root user privileges.

Cisco gives the error a severity level of 9.8 out of 10, writes ZDNet. The problems arise from SSH key management in the Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software. The company has accidentally placed a standard SSH key pair in the devices, which an attacker can pick up by connecting to the device via IPv6. The vulnerability cannot be exploited via IPv4.

The error was found by an external security researcher named Oliver Matula, who works at ERNW Enno Rey Netzwerke. The error affects 9000 Series Fabric Switches in ACI mode when running Cisco NX-OS Software with a release for 14.1(1i). The problem can only be solved with a released update for the software. Cisco therefore advises users to update the software.

Other vulnerabilities

Matula also reported a medium severity vulnerability in the Nexus 9000 ACI mode software, which allows a local attacker with valid credentials to use “symbolic links” to overwrite potentially sensitive system files.

Cisco NX-OS Software 14.1(1i) goes on to provide a high severity elevation or privilege vulnerability solution that allows a local attacker with valid administrator login data for a device to execute arbitrary NX-OS commands as a root user.

Finally, for the 14.1(1i) version, NX-OS did not properly validate the TLS client certificates sent between components of an ACI fabric. An attacker with a certificate trusted by the Cisco Manufacturing certificate authority and the corresponding private key can present a valid certificate while trying to connect to a device. An exploit can enable an attacker to gain full control over all other components in the ACI fabric.