Cisco Nexus 9000 Series ACI Mode SNMP Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the SNMP subsystem of Cisco Nexus 9000 Series Fabric Switches operating in ACI mode. This vulnerability allows an authenticated, remote attacker to cause a DoS condition on the affected device by improperly processing SNMP requests. Exploitation involves continuously sending SNMP queries to a specific MIB, which can lead to a kernel panic, causing the device to reload and disrupt service. The vulnerability affects SNMP versions 1, 2c, and 3. Exploitation through SNMPv1 or SNMPv2c requires a valid read-only SNMP community string, while SNMPv3 exploitation necessitates valid SNMP user credentials.

Impact

Exploitation of this vulnerability causes SNMPd processes to consume excessive memory, leading to an out-of-memory condition that triggers a kernel panic and a device reload, creating a denial-of-service situation.

Remediation

Customers are advised to update AAA providers configured with IPv4 DNS names to an IPv4 address configuration. For those using IPv6, no workaround is available. Cisco has released software updates to address this vulnerability. To determine the best release for Cisco Nexus 9000 Series Switches, consult the Recommended Releases document available on the Cisco website.