Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
25
Helpful
5
Replies

Thrangrycat Attacks.

Go to solution
Abdul Farooq
Level 1
Level 1

‎05-19-2019 06:41 AM

Hi,

 

Our Environment we are using Below Switches 

 

NEXUS 93108 TC

Nexus 93108tc-ex
NEXUS-9K

I want to know Nexus 9k series switches are Vulnerable to Thrangrycat Attacks.or Not ?

if it vulnerable mean how to solve ?

Kindly advise the resolution for the same.

 

 


 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-19-2019 07:21 AM - edited ‎05-19-2019 07:35 AM

Hello Abdul,

read the following document by Cisco Security advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

 

 

In the list of affected devices I see the following line that may apply to your hardware in last column the first NX OS release with the bug fixed, in the middle the bug-id

 

Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)

 

Details are the following:

 

Details

 

  • An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability:

    • Have privileged administrative access to the device.
    • Be able to access the underlying operating system running on the device; this can be achieved either by using a supported, documented mechanism or by exploiting another vulnerability that would provide an attacker with such access.
    • Develop or have access to a platform-specific exploit. An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform.

     

    • There are no workarounds that address this vulnerability.

      Cisco Guide to Harden Cisco IOS Devices provides information about how to harden the device and secure management access. Implementing the recommendations in this document would reduce the attack surface for this vulnerability.

       

       

      I would recommend for the moment to verify that you have appropriately configured Harderning on your device.

      The bulletin also warns about the risks of the upgrade procedure to fix the bug.

       

      In most cases, the fix will require an on-premise reprogramming of a low-level hardware component that is required for normal device operation. A failure during this reprogramming process may cause the device to become unusable and require a hardware replacement. Customers are advised to consult the Release Note Enclosure for the Cisco bug relevant to their platform for the following information:

      1. Causes that could lead to a failure of the reprogramming process and cause the device to become unusable
      2. A platform-specific set of steps that are required to reprogram a device
      3. The procedure required to determine whether a given device is running an affected firmware version (that therefore must be fixed) or whether the device is already running a fixed firmware version

      The product release notes that are published with each platform-specific fixed software release will include more detailed information about items 2 and 3 in the preceding list. The product release notes should be considered the most up-to-date source of information about these items.

       

      My Notes:

      The attacker needs to know an account with privilege level to be able to perform the attack and needs to know platform specific information about low level programming that is platform specific.

       

      If you have configured all the best practices for Cisco device hardening you should be able to wait for the release of the fixed release of NX-OS. However, the release notes have to be read carefully because this SW upgrade could make the device unusable (in case it would require an RMA).

       

       

      Edit:

      as mentioned by Georg this vulnerability may take advantage of another one about webUI access described here

      https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui

       

      The bulletin mentions only IOS XE on the affected devices, however if my understanding is correct this can be avoided if you disable http and https server on the device.

      Router# show running-config | include ip http server|secure-server

ip http server
ip http secure-server

      The presence of either command in the device's configuration indicates that the HTTP Server feature is enabled.

      So if you disable both commands in your environment and you manage your switches via SSH only, this should be the workaround even if the bulletin says that there is no workaround. This is just my personal opinion and understanding.

       

       

      Hope to help

      Giuseppe

       

View solution in original post

5 Replies 5

Go to solution
Georg Pauwen
VIP
VIP

‎05-19-2019 07:12 AM - edited ‎05-19-2019 07:21 AM

Hello,

 

check the link below for affected devices and expected patch release dates...

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

 

In addition, the vulnerability works in conjunction with another one (see link below)...

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui

Go to solution
marce1000
VIP
VIP

‎05-19-2019 07:14 AM

 

 - As usual your only trustworthy source or status w.r.t these problems will be CISCO or your reseller. In fact neither answer on this topic can be considered trustworthy as the source can not be verified.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-19-2019 07:21 AM - edited ‎05-19-2019 07:35 AM

Hello Abdul,

read the following document by Cisco Security advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot

 

 

In the list of affected devices I see the following line that may apply to your hardware in last column the first NX OS release with the bug fixed, in the middle the bug-id

 

Nexus 9K Fixed with 48p 10G BASE-T and 6p 40G/100G QSFP28 (N9K-C93108TC-EX) CSCvn77143 Cisco NX-OS Software Release 9.3(2) (Aug 2019)

 

Details are the following:

 

Details

 

  • An attacker will need to fulfill all the following conditions to attempt to exploit this vulnerability:

    • Have privileged administrative access to the device.
    • Be able to access the underlying operating system running on the device; this can be achieved either by using a supported, documented mechanism or by exploiting another vulnerability that would provide an attacker with such access.
    • Develop or have access to a platform-specific exploit. An attacker attempting to exploit this vulnerability across multiple affected platforms would need to research each one of those platforms and then develop a platform-specific exploit. Although the research process could be reused across different platforms, an exploit developed for a given hardware platform is unlikely to work on a different hardware platform.

     

    • There are no workarounds that address this vulnerability.

      Cisco Guide to Harden Cisco IOS Devices provides information about how to harden the device and secure management access. Implementing the recommendations in this document would reduce the attack surface for this vulnerability.

       

       

      I would recommend for the moment to verify that you have appropriately configured Harderning on your device.

      The bulletin also warns about the risks of the upgrade procedure to fix the bug.

       

      In most cases, the fix will require an on-premise reprogramming of a low-level hardware component that is required for normal device operation. A failure during this reprogramming process may cause the device to become unusable and require a hardware replacement. Customers are advised to consult the Release Note Enclosure for the Cisco bug relevant to their platform for the following information:

      1. Causes that could lead to a failure of the reprogramming process and cause the device to become unusable
      2. A platform-specific set of steps that are required to reprogram a device
      3. The procedure required to determine whether a given device is running an affected firmware version (that therefore must be fixed) or whether the device is already running a fixed firmware version

      The product release notes that are published with each platform-specific fixed software release will include more detailed information about items 2 and 3 in the preceding list. The product release notes should be considered the most up-to-date source of information about these items.

       

      My Notes:

      The attacker needs to know an account with privilege level to be able to perform the attack and needs to know platform specific information about low level programming that is platform specific.

       

      If you have configured all the best practices for Cisco device hardening you should be able to wait for the release of the fixed release of NX-OS. However, the release notes have to be read carefully because this SW upgrade could make the device unusable (in case it would require an RMA).

       

       

      Edit:

      as mentioned by Georg this vulnerability may take advantage of another one about webUI access described here

      https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-webui

       

      The bulletin mentions only IOS XE on the affected devices, however if my understanding is correct this can be avoided if you disable http and https server on the device.

      Router# show running-config | include ip http server|secure-server

ip http server
ip http secure-server

      The presence of either command in the device's configuration indicates that the HTTP Server feature is enabled.

      So if you disable both commands in your environment and you manage your switches via SSH only, this should be the workaround even if the bulletin says that there is no workaround. This is just my personal opinion and understanding.

       

       

      Hope to help

      Giuseppe

       

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Giuseppe Larosa

‎05-19-2019 08:54 AM

Thanks for this detail, need to do some planning now quite a few devices on that list.
0 Helpful

Go to solution
Abdul Farooq
Level 1
Level 1
In response to Mark Malone

‎05-21-2019 02:46 AM

Thank you Team

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card