Cisco Nexus Fabric Manager

The Cisco Nexus Fabric Manager system was introduced in March 2016 among a number of other Cisco technology innovations for data centers. Cisco Nexus Fabric Manager with a web-based GUI automates the management of the full lifecycle of the network infrastructure, provides automated preservation of the working network configuration and, in the event of breakdowns, rollback to the working configuration. The system creates a network infrastructure based on VXLAN technology and gives operators the ability to manage it, dynamically configuring switches for data transfer along optimal routes. The tool also gives owners of the network infrastructure using VXLAN technology to quickly configure the corporate network, as well as update all its switches, installing a new version of the software, which requires minimal action.

History

2024: Cisco product found an error that allows hackers to execute commands with administrator privileges

In FSTEC early October, she sent out a critical error warning BDU:2024-07739^[1]which allows an attacker acting remotely to execute arbitrary code by sending specially crafted commands. The Nexus Dashboard Fabric Controller (Cisco NDFC) turned out to be vulnerable, in the web interface of which measures were not taken to neutralize the special elements used in the OS command. This applies to all versions of NDFC up to 11.5 (no fixes are expected for them) and versions 12.0 to 12.2.2, in which the error is fixed. The company Cisco did not detect the exploitation of this vulnerability, although its danger level is 9.9 out of 10 according to the CVSS method.

It should be noted that the error was discovered by the testing service of Cisco itself - in particular, employee Nat Dunlap, who drew up the warning. The error is due to the fact that when processing the REST API protocol, special characters of the IOS command line - the OS of Cisco devices are not filtered enough. As a result, an attacker with minimal authority has the ability to remotely inject IOS commands through the web interface and execute them on devices controlled by Cisco NDFC.

Any vulnerability poses a danger to Russian companies, "Alexey Ryabinin, a leading specialist in the technical protection of confidential information at Cloud Networks, told TAdviser readers. - Let me remind you that this allows you to remotely read arbitrary files on the server, overwrite sensitive information, destroy a certain container that will restart itself, causing minor DoS. Since Cisco's products previously had great popularity, and when implementing projects in the period until 2022, the decisions of this company were "import replaced" last, and after 2022, I believe, they did not still have time to migrate from them, Russian companies need to pay attention to the fact that, perhaps, they now have a gaping hole for attackers.

𝓲

Ideogram

Indeed, Cisco products are still used at Russian enterprises, slightly covered by domestic firewalls. Abandoning the products of the American vendor was not very easy.

Sales of Cisco equipment and licenses in Russia did not stop, - Konstantin Gorbunov, an expert on network threats, a web developer of the Security Code company, noted in a dialogue with TAdviser. - The opportunity to purchase the products of this vendor from customers remained due to the parallel import that has gained popularity in recent years, that is, sales go not directly to the client, but first to a third party - a company that is not subject to sanctions and other restrictions. Therefore, a number of organizations outside the most regulated industries still use Cisco products, albeit at their own risk.

However, according to the expert, the popularity of Cisco products in Russia is declining. Back in 2022, the company blocked some devices, as well as cloud services for customers from Russia, and in 2023 it decided to liquidate the Russian legal entity, simultaneously destroying equipment reserves in the amount of 1.86 billion rubles. However, the identification of such errors and the inability to fix them qualitatively, since the company refused to support Russian customers, should force users to abandon vulnerable products. The company itself wrote that there is no other way to protect against the error than to install the corresponding update.

However, the experts of FSTEC itself recommend that if it is impossible to install the update, perform the following actions:

• Use web application layer firewall to prevent attempts to exploit the vulnerability.
• Create and use a white list of IP addresses from which users can access the platform to filter connections.
• Disable or completely delete unused user accounts
• Use virtual private networks to organize remote access (VPN) to the platform.

To protect corporate devices from attacks through the REST API, you can use different approaches and their combinations, "Alexander Chicailo, a leading specialist in the Positive Technologies application protection expertise group, told TAdviser readers. - First of all, you must define a valid perimeter for the use of devices. If they are used only within the company, then it is unacceptable to put them on the Internet, at least directly. At a minimum, you need to filter access over known IP or networks. It is also worth using corporate VPNs. These measures will already significantly reduce the potential risk.

In addition, when protecting the REST API, Alexander Chicailo identified two cases: independent application development or, as in the case of Cisco, the use of a third-party product. In the first case, it is necessary to implement secure development tools and practices (AppSec) in the product creation cycle. The API should not be subject to the security risks described in OWASP top 10 and OWASP Top 10 API - this check must take place at the time of testing. Apparently, Cisco has such a check, since the error was still revealed by the internal tester. It is also necessary to provide encryption of communications in order to avoid interception of important information by the intermediary, as well as to update devices in a timely manner in order to reduce the risk of compromise. In the second case, when the device should be accessible from the outside and you cannot influence the development process, then you need to use WAF class protections.

It should be noted that now there are tools for ensuring the security of working with the API. They take over the processing of external requests to the API, check them for correctness and can, among other things, filter even command characters. It is possible that such a tool can be configured to filter injection of IOS operating system commands, which will solve the problem. However, the effectiveness of such a solution may be lower than replacing vulnerable and legacy Cisco devices.

Notes