Cisco NX-OS Software Unauthenticated Arbitrary File Actions Vulnerability

A vulnerability in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running Cisco NX-OS Software could allow an unauthenticated, remote attacker to create, delete, or overwrite arbitrary files with root privileges on the device.  

This vulnerability exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests. An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075. A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration. For example, the attacker could add a user account without the device administrator knowing.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

This advisory is available at the following link:

This advisory is part of the February 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: February 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Security Impact Rating: Critical

CVE: CVE-2021-1361


  • No Related Posts

Securing the Cisco IOS and IOS XE Software Layer 2 Traceroute Server

The Layer 2 (L2) traceroute utility identifies the L2 path that a packet takes from a source device to a destination device. Cisco IOS Software and Cisco IOS XE Software for Cisco Catalyst switches have inherited the L2 traceroute feature from Cisco CatOS Software. As such, this feature has been supported since Cisco IOS and IOS XE Software were first released. Cisco has confirmed that the L2 traceroute feature is not supported in Cisco IOS XR Software or Cisco NX-OS Software.

The L2 traceroute feature is enabled by default in Cisco IOS and IOS XE Software for Cisco Catalyst switches. Enabling the feature starts the L2 traceroute server, which is reachable through IPv4, listening on UDP port 2228. The following example shows the output of the show ip sockets command on a device that has the L2 traceroute feature enabled:

Switch#show ip sockets
Proto        Remote      Port      Local       Port  In Out  Stat TTY OutputIF
 17             0       2228   0   0   211   0 

By design, the L2 traceroute server does not require authentication, and it allows certain information about an affected device to be read, including the following:

  • Hostname
  • Hardware model
  • Configured interfaces
  • Configured IP addresses
  • VLAN database
  • MAC address table
  • Layer 2 filtering table
  • Cisco Discovery Protocol (CDP) neighbor information

Reading this information from multiple switches in the network could allow an attacker to build a complete L2 topology map of that network.

Customers are advised to secure the L2 traceroute server as described in the Recommendations section of this advisory.

This advisory is available at the following link:

Security Impact Rating: Informational


Multiple Issues in Cisco Small Business 250/350/350X/550X Series Switches Firmware and Cisco FindIT Network Probe

On June 3, 2019, SEC Consult, a consulting firm for the areas of cyber and application security, contacted the Cisco Product Security Incident Response Team (PSIRT) to report the following issues that they found in firmware images for Cisco Small Business 250 Series Switches:

  • Certificates and keys issued to Futurewei Technologies
  • Empty password hashes
  • Unneeded software packages
  • Multiple vulnerabilities in third-party software (TPS) components

Cisco PSIRT investigated each issue, and the following are the investigation results:

Certificates and Keys Issued to Futurewei Technologies

An X.509 certificate with the corresponding public/private key pair and
the corresponding root CA certificate were found in Cisco Small Business 250 Series Switches firmware. SEC Consult calls this the “House of Keys.” Both certificates are issued to
third-party entity Futurewei Technologies, a Huawei subsidiary.

The certificates and keys in question are part of the Cisco FindIT Network Probe that is bundled with Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware. These files are part of the OpenDaylight open source package. Their intended use is to test the functionality of software using OpenDaylight routines. The Cisco FindIT team used those certificates and keys for their intended testing purpose during the development of the Cisco FindIT Network Probe; they were never used for live functionality in any shipping version of the product. All shipping versions of the Cisco FindIT Network Probe use dynamically created certificates instead. The inclusion of the certificates and keys from the OpenDaylight open source package in shipping software was an oversight by the Cisco FindIT development team.

Cisco has removed those certificates and associated keys from FindIT Network Probe software and Small Business 250, 350, 350X, and 550X Series Switches firmware starting with the releases listed later in this advisory.

Empty Password Hashes

The /etc/passwd file included in Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware has empty password hashes for the users root and user.

The /etc/passwd file is not consulted during user authentication by Small Business 250, 350, 350X, and 550X Series Switches firmware. Instead, a dedicated alternate user database is used to authenticate users that log in to either the CLI or the web-based management interface of Small Business 250, 350, 350X, and 550X Series Switches.

A potential attacker with access to the base operating system on an affected device could exploit this issue to elevate privileges to the root user. However, Cisco is not currently aware of a way to access the base operating system on these switches.

Future firmware releases will replace the empty hashes with hashed, randomly generated passwords during initial boot.

Unneeded Software Packages

An attacker who gains access to the CLI of the base operating system may be able to misuse the gdbserver and tcpdump packages that are included in Cisco Small Business 250, 350, 350X, and 550X Series Switches firmware as part of the base operating system. Cisco is not currently aware of a way to access this part of the system on these switches.

Future firmware releases will not include the gdbserver and tcpdump packages.

Security Impact Rating: Informational


Missing wof.sys file causes Store Apps to Fail, When the Connector Cache is Enabled

Add the file C:WindowsSystem32driverswof.sys to the file, bootfile.txt.

1) Add a version to the OS layer

2) Edit the file, C:Program FilesUnideskUniservicebootfile.txt

3) At the end of the file add, exactly as written


4) Finalize the OS Layer

5) Enable the cache in the connector and test with the new OS layer version

With the file, wof.sys, in our bootfile the apps work. The Store should also work for any domain user that logs in.

A future fix, which will be in a release, will only apply to new Gold Images and the associated OS layer created from it. Thus it will not fix existing OS Layers.


Smarts NCM: Does NCM support a device hardware change?

Article Number: 503857Article Version: 3 Article Type: How To

Smarts Network Configuration Manager 9.4.2,Smarts Network Configuration Manager 9.4.1,Smarts Network Configuration Manager 9.3

Network Configuration Manager does not currently support changing device hardware from one model to another with history retention. For example, if a device is initially discovered as a Cisco IOS Switch and the hardware is updated to a Cisco IOS Router, the device must be removed from NCM. The history will be lost, and the device will need to be rediscovered.


XL710 Firmware Update Feature for NetScaler SDX Models 14xxx 40G and 25xxx 40G

The 10.5 64.x release is the first NetScaler SDX release to include the latest XL710 v5.04 firmware. Included with this firmware is a tool to automatically upgrade the XL710 firmware from its previous version of v4.53.

Thus when the customer performs an SDX Upgrade to the 10.5-64.x Platform Image, then as part of the software upgrade the XL710 firmware will be upgraded to v5.04.

Although 10.5 64.x was the first release to include this feature, it has now been included in the following releases:

  • 10.5 64.x (and later)
  • 11.1 50.x (and later)

Firmware Requirement to stay at 10.5-64.x (or later)

The new 5.04 version of the XL710 firmware enables new functionality such as the L2 Mode feature. However users should be aware that there is no downgrade back to v4.53. For SDX this means that users can not go back (through the CleanInstall mechanism) to releases previous to 10.5-64.x.

Users must wait for the next release of 10.5 or 11.x in order to Upgrade.

Factory Reset

If, after Upgrading the Platform to 10.5-64.x, the user then decides to perform a ‘Factory Reset’ operation, then the SDX system will be reset to its factory shipping version. However, a safety feature will be deployed, stopping the factory driver & firmware from a version mismatched. This feature causes the XL710 NIC drivers to be disabled, and the NICs will not be shown in the SVM Interfaces section.

This situation is as expected. The user should then update the system to one of the following platform image releases:

– 10.5-64.x or later (Use either ‘CleanInstall’ or ‘Platform Upgrade’)

– 11.1 50.x or later (Use ONLY ‘CleanInstall’)

Doing so will match the correct version of driver and firmware together.

Extra Time required for Firmware Update

The firmware update of eight XL710 NICs adds the following extra time to the SDX Upgrade process:

23 minutes for 10.5

19 minutes for 11.x

Note: The update time for either XL710 40G NICs or X710 10G NICs is approximately the same. Thus the type of XL710 NIC does not impact the firmware update time, only the total number of NICs on your machine.