Cisco NX-OS Software Unauthenticated Arbitrary File Actions Vulnerability [CVE-2021-1361]

CVE number = CVE-2021-1361

A vulnerability in the implementation of an internal file management service for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode that are running Cisco NX-OS Software could allow an unauthenticated, remote attacker to create, delete, or overwrite arbitrary files with root privileges on the device.  

This vulnerability exists because TCP port 9075 is incorrectly configured to listen and respond to external connection requests. An attacker could exploit this vulnerability by sending crafted TCP packets to an IP address that is configured on a local interface on TCP port 9075. A successful exploit could allow the attacker to create, delete, or overwrite arbitrary files, including sensitive files that are related to the device configuration. For example, the attacker could add a user account without the device administrator knowing.

Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.

Vulnerable Products

This vulnerability affects the following Cisco products if they are running Cisco NX-OS Software Release 9.3(5) or Release 9.3(6):

  • Nexus 3000 Series Switches
  • Nexus 9000 Series Switches in standalone NX-OS mode

These devices are vulnerable by default.

To check a device, use the show sockets connection | include 9075 CLI command. If the command returns output, as shown in the following example, the device is vulnerable:

nexus# show sockets connection | include 9075
tcp LISTEN 0 32 * : 9075


Using infrastructure access control lists (iACLs) to allow only strictly required management and control plane traffic that is destined to the affected device, as recommended in the Cisco Guide to Securing NX-OS Software Devices, would prevent remote exploitation of this vulnerability. Customers are advised to explicitly deny all TCP packets that are destined to a locally configured IP address with a destination port of 9075 as part of their iACLs. A customized control plane policing (CoPP) policy may also be used to drop all TCP port 9075 traffic that is destined to an affected device. 

Customers are advised to first evaluate the impact of configuration changes to the device and their security policy. Customers who are concerned about undesired or unexpected side effects are advised to contact their support organization before implementing  configuration changes.

In addition, local exploitation of this vulnerability is possible if the NX-OS features bash or guestshell are enabled. There is no workaround or mitigation for a local attacker with valid device credentials; however, customers are advised to follow best practices for account management as outlined in the Cisco Guide to Securing NX-OS Software Devices – Use Authentication, Authorization, and Accounting.

Fixed Software

  • Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. 

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: