Cisco released patches for 34 flaws in its software including fixes for five critical arbitrary code execution vulnerabilities in FXOS, NX-OS and NX-API software.
All of the critical flaws have a CVSS score of 9.8 out of 10 and four of them affect the FXOS and NX-OS Cisco Fabric Services because FXOS/NX-OS "insufficiently validates header values in Cisco Fabric Services packets," according to the security notice. The last critical flaw affects the NX-API feature of NX-OS.
The NX-API vulnerability is caused by an incorrect input validation in the authentication module of the NX-API subsystem which can be exploited if an attacker were to send a crafted HTTP or HTTPS packet to the management interface of an affected system with the NX-API feature enabled.
One of the arbitrary code execution vulnerabilities affecting FXOS and NX-OS Software was the result of the affected software insufficiently validating header values in Cisco Fabric Services packets. As a result of the bug, a threat actor could cause a buffer overflow that would allow them to execute arbitrary code or cause a DoS condition.
Nineteen of the vulnerabilities were rated as High while the rest were rated as Medium and 12 of the vulnerabilities affected both FXOS and NX-OS, while the remaining only affect NX-OS.