Cisco Nexus 9500 Series Switches Access Control List Bypass Vulnerability

A vulnerability in the EtherChannel port subscription logic of Cisco Nexus 9500 Series Switches could allow an unauthenticated, remote attacker to bypass access control list (ACL) rules that are configured on an affected device.

This vulnerability is due to oversubscription of resources that occurs when applying ACLs to port channel interfaces. An attacker could exploit this vulnerability by attempting to access network resources that are protected by the ACL. A successful exploit could allow the attacker to access network resources that would be protected by the ACL that was applied on the port channel interface.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nexus-acl-vrvQYPVe

This advisory is part of the August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: August 2021 Cisco FXOS and NX-OS Software Security Advisory Bundled Publication.

Security Impact Rating: Medium

CVE: CVE-2021-1591

Related:

  • No Related Posts

SDWAN doesn’t support “MSS Clamping” in PPPoE Internet Service (Before version 11.3.1), that causes some external web pages can’t be loaded

This is because SDWAN PPPoE link doesn’t support MSS Clamping before version 11.3.1

What is MSS Clamping?

1. In a PPPoE link, additional 8 bytes PPPoE header will be inserted into frames. That may cause total length of frams exceed MTU 1500. Hence, we need to fragment those TCP packets if payload length is 1460.

2. However, in most cases, DF bit is set in packet. Don’t allow fragmentation. Then, PPPoE router should reply ICMP “Fragmentation Required” message to original client/server. Then client/server should send the packet in a smaller data.

3. However, the ICMP message may be dropped by firewall. In such cases, a better solution is PPPoE router modifies the MSS value in a TCP connection to fit PPPoE link’s MTU. That is called MSS Clamping.

Related:

  • No Related Posts

[SDWAN] SDWAN doesn’t support “MSS Clamping” in PPPoE Internet Service (Before version 11.3.1), that causes some external web pages can’t be loaded

This is because SDWAN PPPoE link doesn’t support MSS Clamping before version 11.3.1

What is MSS Clamping?

1. In a PPPoE link, additional 8 bytes PPPoE header will be inserted into frames. That may cause total length of frams exceed MTU 1500. Hence, we need to fragment those TCP packets if payload length is 1460.

2. However, in most cases, DF bit is set in packet. Don’t allow fragmentation. Then, PPPoE router should reply ICMP “Fragmentation Required” message to original client/server. Then client/server should send the packet in a smaller data.

3. However, the ICMP message may be dropped by firewall. In such cases, a better solution is PPPoE router modifies the MSS value in a TCP connection to fit PPPoE link’s MTU. That is called MSS Clamping.

Related:

  • No Related Posts

Cisco Nexus 9000 Series Fabric Switches ACI Mode Link Layer Discovery Protocol Port Denial of Service Vulnerability

A vulnerability in the Link Layer Discovery Protocol (LLDP) for Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode could allow an unauthenticated, adjacent attacker to disable switching on a small form-factor pluggable (SFP) interface.

This vulnerability is due to incomplete validation of the source of a received LLDP packet. An attacker could exploit this vulnerability by sending a crafted LLDP packet on an SFP interface to an affected device. A successful exploit could allow the attacker to disable switching on the SFP interface, which could disrupt network traffic.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apic-lldap-dos-WerV9CFj

Security Impact Rating: Medium

CVE: CVE-2021-1231

Related:

  • No Related Posts

Error: “Gateway is not Reachable” or Connection Goes Down After the VPN Tunnel is Established

  • Citrix Virtual Adapter is registered as an Ethernet adapter. Starting with Windows 8, the WCMSVC (Windows Connection Manager) disconnects low speed connections because an Ethernet Adapter is seen as more reliable and provides better performance compared to other adapters. That’s the reason, Wi-Fi, 3G/4G adapters get disconnected. But those connections are needed for actual communication with VPN gateway, VPN plugin shows “Gateway is not reachable”.

  • Related:

    • No Related Posts

    ICA Connection Stuck at “Connection in Progress” on StoreFront

    When you capture a network trace while the endpoint is attempting to connect over the ICA session, you will notice a TCP-SYN retransmissions on 2598 for that server.

    The VDA has two network cards: Legacy and Synthetic. The ICA file which the endpoint receives, is listing an IP Address of the Legacy Adapter (which is non-routable from external network). Hence the ICA connection fails.

    We would ideally like to have an address in the ICA file which is reachable from the Internet and the Legacy network adapter is required to communicate with the PVS server initially, mostly in the same subnet. If over the legacy network adapter, we disable Gateway and attempt to connect again, this time ICA should come up with the synthetic adapter’s address.

    As per the PVS design, PVS Legacy NIC should have a 169.x.x.x address post the bootup completion. PVS uses the Synthetic network adapter for the communication with the PVS server.

    Related:

    • No Related Posts

    How to configure the Netscaler VPX VLAN's on a new NetScaler SDX Instance

    This article describes how to configure a new NetScaler VPX instance on a NetScaler SDX when the default VLAN (Virtual Local Area Network) on your network is different than the default VLAN (VLAN1) on the NetScaler appliance.

    Background

    By default, any VPX instance created through the SDX is configured as the default VLAN 1. In certain environments, the VPX instance is unable to communicate with other network resources if the default VLAN is not changed to match the VLAN allowed on the switch.

    For example, an SDX with interface 10/2 and 10/3 connected to a Cisco switch trunk port with allowed VLANS 3 and 5 is unable to communicate after instance creation.

    Related:

    Citrix Hypervisor 7.1 CU2 “This host does not appear to have any network interfaces” during fresh install of XenServer 7.1

    During the installation of XS 7.1 CU2 NIC driver not installed / does not work.

    Installed CH 8.1 and the driver installed out of the box with no issues.

    Error Message: “This host does not appear to have any network interfaces. If interfaces are present you may need to load a device driver on the previous screen for them to be detected.”

    Integrated NIC 1: QLogic 2x1GE+2x10GE QL41264HMCU CNA

    NIC Slot 7: QLogic 10GE 2P QL41112HxCU-DE Adapter

    Related:

    Citrix Hypervisor 7.1 CU2 “This host does not appear to have any network interfaces” during fresh install of Xenserv 7.1

    During the installation of XS 7.1 CU2 NIC driver not installed / does not work.

    Installed CH 8.1 and the driver installed out of the box with no issues.

    Error Message: “This host does not appear to have any network interfaces. If interfaces are present you may need to load a device driver on the previous screen for them to be detected.”

    Integrated NIC 1: QLogic 2x1GE+2x10GE QL41264HMCU CNA

    NIC Slot 7: QLogic 10GE 2P QL41112HxCU-DE Adapter

    Related:

    PVS Vdisk Inconsistency – Replication Status Shows Error ” Server Not Reachable” When NIC Teaming is Configured

    • Verify if NIC Teaming is configured as Active-Active. Reconfigure as Active-Passive.

    Steps:

    Open Network team configuration and make sure the team is Active Active.

    Verify the NICs configured under Active Adaptors and confirm no Standby Adaptors are configured.

    Reconfigure the Team and make sure Active and standby adaptors are configured.

    Please note that NIC team configuration will differ for different adapter manufacturers, check the configuration guide to follow appropriate steps to reconfigure.

    Reconfigure NIC teaming may interrupt the network connection. Please make sure to take proper actions to avoid production impact.


    User-added image

    • Verify the MTU setting of NIC on all PVS servers

    Since the status of the replication is synced via UDP on PVS port 6895, the communication failure over this udp port will also effects the status of the replications.

    The different MTU of the NICs of PVS servers will also block this kind of UDP communication between them. For example, if one of the NIC has MTU of 1500(default) and the other NIC has MTU of 6000, the udp packets which is larger than 1500 will be lost due to the different fragmentation. From MTU of 6000, the udp packet larger than 1500 but less than 6000, so it will not be fragmented. But the peer has MTU of 1500, so it is unable to accepted this packet and causing packet loss.

    You need to check the MTU value of all PVS servers by command:

    netsh interface ipv4 show subinterface

    If MTUs are different on all PVS servers, please change it to the same value (The default value 1500 is recommended):

    netsh interface ipv4 set subinterface “ Ethernet ” mtu=1500 store=persistent

    Please replace Ethernet with the NIC name of your PVS server.

    Related:

    • No Related Posts