Summary

A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signature verification.

This vulnerability is due to insecure bootloader settings. An attacker could exploit this vulnerability by executing a series of bootloader commands. A successful exploit could allow the attacker to bypass NX-OS image signature verification and load unverified software.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Affected Products

Vulnerable Products

This vulnerability affects the following Cisco products if they are running a release of Cisco NX-OS Software that includes a vulnerable BIOS version, regardless of device configuration:

  • MDS 9000 Series Multilayer Switches (CSCwh76163)
  • Nexus 3000 Series Switches (CSCwm47438)
  • Nexus 7000 Series Switches (CSCwh76166)
  • Nexus 9000 Series Fabric Switches in ACI mode (CSCwn11901)
  • Nexus 9000 Series Switches in standalone NX-OS mode (CSCwm47438)
  • UCS 6400 Series Fabric Interconnects (CSCwj35846)
  • UCS 6500 Series Fabric Interconnects (CSCwj35846)

Note: This vulnerability is relevant only for Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that support secure boot technology.

For information about which specific Cisco MDS, Nexus, and UCS Fabric Interconnect platforms support secure boot technology and the corresponding Cisco software releases that are vulnerable, see the Fixed Software section of this advisory.

Determine the Cisco NX-OS BIOS Version

To determine which Cisco NX-OS BIOS version is running, log in to the device, use the show version CLI command, and view the BIOS output line, as shown in the following example:

switch# show version | include BIOS
BIOS: version 01.11
BIOS compile time: 06/30/2023

For information about affected and fixed BIOS versions, see the Fixed Software section of this advisory.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

Customers Without Service Contracts

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

Fixed Releases

Resolution of this vulnerability requires a BIOS update on affected Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that are running Cisco NX-OS Software.

To upgrade the BIOS on Cisco MDS and Nexus Standalone platforms, upgrade Cisco NX-OS Software on the affected devices with the install all CLI command or install a specific SMU as indicated in the Fixed Release table that follows. For more information, see the Cisco Nexus 9000 Series NX-OS Software Upgrade and Downgrade Guide, Release 10.4(x).

For Cisco Nexus 9000 Series Switches in ACI mode, upgrade to a fixed software release as shown in the Fixed Release table that follows. For more information, see the Cisco APIC Installation and ACI Upgrade and Downgrade Guide.

For Cisco UCS Fabric Interconnect platforms, upgrade to a fixed software release as shown in the Fixed Release table that follows. For more information for devices managed by UCS Manager (UCSM), see the Cisco UCS Manager Firmware Management Guide, Release 4.3. For more information for devices managed by Intersight, see the Cisco Intersight Managed Mode Configuration Guide.

Cisco recommends verifying the BIOS version for each platform after the upgrade has been completed.

Note: For Cisco MDS and Nexus standalone platforms, if the device was not previously upgraded by using the install all CLI command, the BIOS might not have been upgraded. Even if customers are running a fixed Cisco NX-OS Software release, they are advised to check the BIOS version and use the install all command to complete the BIOS upgrade, if applicable.

In the following table, the left column lists Cisco MDS, Nexus, and UCS Fabric Interconnect platforms. The middle column indicates the first BIOS version that includes the fix for this vulnerability. The right column indicates the corresponding first Cisco NX-OS Software release or SMU or Cisco UCS Software release that incorporates the fixed BIOS version.

1. Cisco has not released and will not release software updates for Cisco Nexus 92160YC-X Switches because this product has reached the End of Vulnerability/Security Support. Customers are advised to refer to End-of-Sale and End-of-Life Announcement for the Cisco Nexus N9K-C92160YC-X.

Note: Because this vulnerability is relevant only for Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that support secure boot, legacy Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that do not support secure boot are not listed in the table above.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

  • The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-image-sig-bypas-pQDRQvjL