A vulnerability in the handling of incoming Layer 2 packets tagged with a Cisco Nexus 9000 Series Switch (N9K) reserved VLAN number could allow an unauthenticated, adjacent attacker to cause a partial denial of service (DoS) condition due to increased CPU utilization and possible control plane instability. In addition, Layer 2 packets, which should be dropped by the switch, may be incorrectly forwarded to the connected interfaces.

The vulnerability is due to lack of validation of the VLAN number in the Layer 2 packet. An attacker could exploit this vulnerability by sending a crafted Layer 2 packet tagged with an N9K reserved VLAN number. An exploit could allow the attacker to cause a partial DoS condition due to increased CPU utilization and possible control plane instability. In addition, this packet should be dropped by the N9K, but could be forwarded to the attached networks.

Cisco has confirmed the vulnerability; however, updates are not available.

To exploit the vulnerability, an unauthenticated attacker would need access to the local network. This restriction reduces the potential for exploitation.

Leave a Reply