Cisco NX-OS IP in IP Vulnerability affects Nexus Series Switches: Critical network security risk

Penetration testing services specialists have revealed the finding of a high-severity vulnerability in the Cisco NX-OS network stack that could be exploited by unauthenticated malicious hackers to bypass certain security restrictions or generate denial of service (DoS) conditions on affected devices.

The vulnerability exists because affected devices unexpectedly unwrap and process IPs in IP packets destined for a locally configured IP address. Threat actors could exploit this flaw to send a specially designed IP included in the IP packets received by the vulnerable device.

Multiple Cisco products running Cisco NX-OS software support IP in IP packet encapsulation and decapsulation when a tunnel interface is manually configured on the device using ipip tunnel mode and the appropriate source and tunnel destination. The device is not expected to decapsule and process any IPs in IP traffic that is not destined for that tunnel interface.

According to the report, successful vulnerability exploitation would allow the affected device to unexpectedly unwrap the IP in the IP packet and forward the internal IP packet, which could cause IP packets to bypass the inbound access control lists configured on the affected device; hackers could also bypass any other security limits defined in other areas of the network, as penetration testing services specialists mentioned.

In some scenarios, the vulnerability might cause the network stacking process to crash and restart multiple times, leading to a reload of the affected device and a DoS condition. The company has already released software updates to address this vulnerability, although there are also some workarounds to mitigate the risk of exploitation.

As for vulnerable products, this flaw is present in multiple versions of Nexus switches; the full list is available on Cisco’s official website, penetration testing services specialists noted.

The report notes that it is not necessary to have an IP tunnel interface configured on the affected devices to exploit the vulnerability. Cisco UCS Fabric interconnects are affected only when NetFlow monitoring is enabled on the device and a flow exporter profile is configured with a source IP address set for the exporter interface.

For further reports on vulnerabilities, exploits, malware variants, and computer security risks, cybersecurity awareness experts recommend entering the International Institute of Cyber Security (IICS) website, as well as official technology company platforms.