Cisco Nexus 3000 and 9000 Series Switches IS-IS Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Intermediate System-to-Intermediate System (IS-IS) feature of Cisco NX-OS Software, specifically for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode. This vulnerability allows an unauthenticated, adjacent attacker to cause the IS-IS process to unexpectedly restart, potentially leading to a device reload. The issue arises from insufficient input validation when parsing incoming IS-IS packets, allowing an attacker to exploit the vulnerability by sending crafted IS-IS packets to the affected device. Successful exploitation can disrupt IS-IS routing, causing a denial-of-service condition. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device.

Impact

Exploitation of this vulnerability causes the IS-IS process to restart unexpectedly, which can lead to the affected device reloading. This disruption creates a denial-of-service condition, causing temporary loss of network connectivity and routing functionality.

Remediation

Cisco has released free software updates to address this vulnerability. Customers with service contracts should obtain these updates through their usual channels. For those without service contracts, contact the Cisco Technical Assistance Center (TAC) for assistance. To determine the best Cisco NX-OS release for a Nexus switch, consult the Cisco NX-OS Recommended Releases document for the specific switch series.