Unresolved DoS Vulnerability from Cisco Switch –

CVE-2017-6655

Data Centre Cisco Switch were found to have unresolved vulnerabilities. This vulnerability
affects Cisco NX-OS Software on the following Cisco devices when they are configured for
FCoE:

 Multilayer Director Switches,

 Nexus 7000 Series Switches,
 Nexus 7700 Series Switches.

More Information: CSCvc91729. Known Affected Releases: 8.3(0)CV(0.833). Known Fixed

Releases: 8.3(0)ISH(0.62) 8.3(0)CV(0.944) 8.1(1) 8.1(0.8)S0 7.3(2)D1(0.47).

Description
A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol implementation in Cisco
NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service
(DoS) condition when an FCoE-related process unexpectedly reloads.
This is a switch used for FCoE which provides some advantages. FCoE is highly reliable since
the packet of data can arrive at the destination through fiber optics and it can reduce the
number of network interface cards, cables and switches. Its vulnerability is coming from an
absence of proper FCoE frame padding validation. An attacker could exploit this vulnerability
by sending a stream of crafted FCoE frames to the targeted device. An exploit could allow the
attacker to cause a DoS condition, which would impact FCoE traffic passing through the
device. The attacker’s server must be directly connected to the FCoE interface on the device
that is running Cisco NX-OS Software to exploit this vulnerability.

Impact
The series of switches with vulnerabilities to be exploited to create a favourable condition for
DoS attacks are widely used in various organizations, industries and countries.

Best Practice
The zone policies are suggested to be adopted in this case to lessen the threat of DoS due to
vulnerabilities caused by the lack of the proper FCoE frame padding validation.

In conjunction with various devices like firewalls, routers and switches, not only does zoning
segment divide your network into smaller controllable areas but it also control access and
traffic to zones through the interfaces until access right is granted. The devices are pre-set to
control the flow of traffic on the ingress interfaces from the source to the responding server.
The unwanted traffic can be filtered and even dropped before and after it enters a particular
zone.

Specially assigned zone (L2, L3, external) assists in protecting the network from the traffic
which is not allowed in a particular zone. For instance, you can allow the traffic entering from
either an L2 interface to an L2 zone or from an L3 interface to an L3 zone, but not allow it
from an L2 interface to an L3 zone.

Source: https://blog.nexusguard.com/unresolved-dos-vulnerability-from-cisco-
switch-cve-2017-6655