Cisco Nexus 3600 and 9500-R Series Switches Layer 2 Loop Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Ethernet VPN (EVPN) Layer 2 ingress packet processing of Cisco Nexus 3600 Platform Switches and Cisco Nexus 9500-R Series Switching Platforms. This vulnerability allows an unauthenticated, adjacent attacker to create a Layer 2 traffic loop by sending a stream of crafted Ethernet frames through the targeted device. The resulting loop can oversubscribe the bandwidth on network interfaces, causing all data plane traffic to be dropped. To stop active exploitation, manual intervention is required to halt the crafted traffic and reset all involved network interfaces.

Impact

Exploitation of this vulnerability can lead to a Layer 2 Virtual eXtensible LAN (VxLAN) traffic loop, causing a denial-of-service condition by oversubscribing network interface bandwidth and dropping all data plane traffic.

Remediation

Cisco has released software updates to address this vulnerability. For guidance on determining which Cisco NX-OS Software release to upgrade to, consult the 'Recommended Releases' documents available for each Cisco Nexus Switch series. Instructions for downloading the fixed software can be found on the Cisco Support and Downloads page.