05-19-2019 06:41 AM
Hi,
Our Environment we are using Below Switches
NEXUS 93108 TC
Nexus 93108tc-ex
NEXUS-9K
I want to know Nexus 9k series switches are Vulnerable to Thrangrycat Attacks.or Not ?
if it vulnerable mean how to solve ?
Kindly advise the resolution for the same.
Solved! Go to Solution.
05-19-2019 07:21 AM - edited 05-19-2019 07:35 AM
Hello Abdul,
read the following document by Cisco Security advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot
In the list of affected devices I see the following line that may apply to your hardware in last column the first NX OS release with the bug fixed, in the middle the bug-id
Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
Details are the following:
An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability:
There are no workarounds that address this vulnerability.
Cisco Guide to Harden Cisco IOS Devices provides information about how to harden the device and secure management access. Implementing the recommendations in this document would reduce the attack surface for this vulnerability.
I would recommend for the moment to verify that you have appropriately configured Harderning on your device.
The bulletin also warns about the risks of the upgrade procedure to fix the bug.
In most cases, the fix will require an on-premise reprogramming of a low-level hardware component that is required for normal device operation. A failure during this reprogramming process may cause the device to become unusable and require a hardware replacement. Customers are advised to consult the Release Note Enclosure for the Cisco bug relevant to their platform for the following information:
The product release notes that are published with each platform-specific fixed software release will include more detailed information about items 2 and 3 in the preceding list. The product release notes should be considered the most up-to-date source of information about these items.
My Notes:
The attacker needs to know an account with privilege level to be able to perform the attack and needs to know platform specific information about low level programming that is platform specific.
If you have configured all the best practices for Cisco device hardening you should be able to wait for the release of the fixed release of NX-OS. However, the release notes have to be read carefully because this SW upgrade could make the device unusable (in case it would require an RMA).
Edit:
as mentioned by Georg this vulnerability may take advantage of another one about webUI access described here
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui
The bulletin mentions only IOS XE on the affected devices, however if my understanding is correct this can be avoided if you disable http and https server on the device.
Router# show running-config | include ip http server|secure-server
ip http server
ip http secure-server
The presence of either command in the device's configuration indicates that the HTTP Server feature is enabled.
So if you disable both commands in your environment and you manage your switches via SSH only, this should be the workaround even if the bulletin says that there is no workaround. This is just my personal opinion and understanding.
Hope to help
Giuseppe
05-19-2019 07:12 AM - edited 05-19-2019 07:21 AM
Hello,
check the link below for affected devices and expected patch release dates...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot
In addition, the vulnerability works in conjunction with another one (see link below)...
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui
05-19-2019 07:14 AM
- As usual your only trustworthy source or status w.r.t these problems will be CISCO or your reseller. In fact neither answer on this topic can be considered trustworthy as the source can not be verified.
M.
05-19-2019 07:21 AM - edited 05-19-2019 07:35 AM
Hello Abdul,
read the following document by Cisco Security advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot
In the list of affected devices I see the following line that may apply to your hardware in last column the first NX OS release with the bug fixed, in the middle the bug-id
Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX) | CSCvn77143 | Cisco NX-OS Software Release 9.3(2) (Aug 2019) |
Details are the following:
An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability:
There are no workarounds that address this vulnerability.
Cisco Guide to Harden Cisco IOS Devices provides information about how to harden the device and secure management access. Implementing the recommendations in this document would reduce the attack surface for this vulnerability.
I would recommend for the moment to verify that you have appropriately configured Harderning on your device.
The bulletin also warns about the risks of the upgrade procedure to fix the bug.
In most cases, the fix will require an on-premise reprogramming of a low-level hardware component that is required for normal device operation. A failure during this reprogramming process may cause the device to become unusable and require a hardware replacement. Customers are advised to consult the Release Note Enclosure for the Cisco bug relevant to their platform for the following information:
The product release notes that are published with each platform-specific fixed software release will include more detailed information about items 2 and 3 in the preceding list. The product release notes should be considered the most up-to-date source of information about these items.
My Notes:
The attacker needs to know an account with privilege level to be able to perform the attack and needs to know platform specific information about low level programming that is platform specific.
If you have configured all the best practices for Cisco device hardening you should be able to wait for the release of the fixed release of NX-OS. However, the release notes have to be read carefully because this SW upgrade could make the device unusable (in case it would require an RMA).
Edit:
as mentioned by Georg this vulnerability may take advantage of another one about webUI access described here
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui
The bulletin mentions only IOS XE on the affected devices, however if my understanding is correct this can be avoided if you disable http and https server on the device.
Router# show running-config | include ip http server|secure-server
ip http server
ip http secure-server
The presence of either command in the device's configuration indicates that the HTTP Server feature is enabled.
So if you disable both commands in your environment and you manage your switches via SSH only, this should be the workaround even if the bulletin says that there is no workaround. This is just my personal opinion and understanding.
Hope to help
Giuseppe
05-19-2019 08:54 AM
05-21-2019 02:46 AM
Thank you Team
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide