5 - cisco-sa-20171018-aaavty

A vulnerability in the authentication, authorization, and accounting (AAA) implementation of Cisco Firepower Extensible Operating System (FXOS) and NX-OS System Software could allow an unauthenticated, remote attacker to cause an affected device to reload.

The vulnerability occurs because AAA processes prevent the NX-OS System Manager from receiving keepalive messages when an affected device receives a high rate of login attempts, such as in a brute-force login attack. System memory can run low on the FXOS devices under the same conditions, which could cause the AAA process to unexpectedly restart or cause the device to reload.

An attacker could exploit this vulnerability by performing a brute-force login attack against a device that is configured with AAA security services. A successful exploit could allow the attacker to cause the affected device to reload.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

Note: Previous versions of this advisory recommended upgrading the Cisco NX-OS Software Release and configuring the login block-for CLI command to prevent this vulnerability. Cisco has since become aware that the login block-for CLI command may not function as desired in all cases. This does not apply to Cisco FXOS. Please refer to the Details ["#details"] section for additional information.

This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-aaavty ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171018-aaavty"]

BEGIN PGP SIGNATURE

iQKBBAEBAgBrBQJZ84ooZBxDaXNjbyBTeXN0ZW1zIFByb2R1Y3QgU2VjdXJpdHkg SW5jaWRlbnQgUmVzcG9uc2UgVGVhbSAoQ2lzY28gUFNJUlQga2V5IDIwMTYtMjAx NykgPHBzaXJ0QGNpc2NvLmNvbT4ACgkQrz2APcQAkHmY2RAAl39Jj9exTs9uqLCQ 5COdzvR6idO4aBuIbBOIv+P7+3bulsNCmtY6pcioyDKfhXjjPx5EZ4WI0vTf6dgW 5SQcn58GRz1DSDAGbWijUHDSa+J6tfBy3wRQWXKa/n7SwY3uo0lLP7LBm19PR5Mn TMd9xgJsZ6UE4oHSNUrSwgHsUXS8GJTZYh/gTv1afWCZqnX9GdtDCQzQxCxYVRjD z2kW+RDsbdSBH5NK+txJyiKDkGiqHXXleBMYlEo4DXmCDWn7xl6RWhx4Sr2Bmpfb az24fotbC2rlwSDitNLkYBX51s0XeHuJ/bYL8ohdV45+5PMhKLQ5GOqXT8Pw2u5Z cOc5AckgZxWYqwUYFxefWozslcSAW7hBGcgJ6YO7VPVTyi0R5RaWbeDMCi1eCrZb xpAstH/MkNbq38QFuDcK7caXYFuj3sKmrYPyawWm6w/YAdHnIgnDEHwIQO6rRyGe Vj5mO50XCBe5GGkyZnueTiL2fdEo4DXVlbFFPRSvljGHsv6upyk4WLtCrgeWbaoK ZSFB6l7JlK4PeehGlUcFRaAlfhJtPty080ODOg161a9GenmugrDSm64TawQSF3Sr e8FRM4QTZC/30cv/JK3AuzvnIfiOPHEkSTl4ihLX6DDnTfPUu+lSEyTn0yhKFTDN 12Gg5HdbneWl673TDM+v6Plpaz8= =NC4o END PGP SIGNATURE

_______________________________________________ cust-security-announce mailing list cust-security-announce@cisco.com To unsubscribe, send the command "unsubscribe" in the subject of your message to cust-security-announce-leave@cisco.com