Vulnerabilities of Cisco Network Devices
Cisco NX-OS and FXOS: 33 New Vulnerabilities Detected in One Week
In previous weeks, a series of security bulletins were published, reporting the discovery of 29 vulnerabilities affecting Cisco NX-OS operating systems and four vulnerabilities related to the FXOS firmware. Although no active attacks exploiting these security flaws have been reported so far, it is crucial to be aware of whether any of them exist within our network.
What Risks Do the Discovered Vulnerabilities in Cisco NX-OS and FXOS Operating Systems Pose?
Cisco NX-OS is the operating system for Cisco Nexus and MDS switches, which are widely used in large data centers, while FXOS is the operating system for Cisco Firepower, a firewall deployed in many corporate environments. Since these vulnerabilities affect network devices, they should be closely monitored: if an attacker manages to gain control over one of them, it not only means they can access all incoming and outgoing network traffic but also undermine the entire security system based on access policies by making configuration changes that allow traffic “to” and “from” the attacker’s resources.
The vulnerabilities in Cisco NX-OS and FXOS are not detected by vulnerability scanners!
Since network devices operate by executing pre-written code, they will always be susceptible to security vulnerabilities, just like any other program. And vulnerabilities in network devices are certainly not rare. Just this January, vulnerabilities in the JunOS operating system of Juniper devices were discovered, which were not detected by vulnerability scanners.
The challenge with security flaws in network devices is that these devices are resistant to reconnaissance actions as a defense against attackers trying to probe our devices. Unfortunately, active vulnerability scanning is considered a security breach by such devices, which do not allow themselves to be scanned, leaving the scanner without a response. This is the problem: if you’re not notified about vulnerabilities that could cause serious damage to your environment, you can’t take any preventive actions.
How can Skybox Security help?
Skybox not only manages network devices in terms of compliance with policies and internal security requirements, but it can also detect security vulnerabilities in devices such as Cisco with NX-OS or FXOS operating systems without active scanning.
In most environments, Skybox imports the device configuration to build a network model or ensure compliance. During the processing of configuration data, the current operating system version on which the device is running is also retrieved. The collected information is then compared with a database of known vulnerabilities that is implemented in the solution. Additionally, without the need for active network device scanning, Skybox provides information about existing vulnerabilities, available exploits, their potential for exploitation, and methods to prevent these security flaws.
Detected vulnerabilities related to network devices are available alongside results from other solutions actively scanning the network for them and prioritized based on several factors, including business assessments of the role and importance of the resource, exploit availability, use in current hacker attacks, and exposure (the potential for exploiting a given vulnerability in a specific network environment, considering policies and access paths). Vulnerabilities for which exploits exist and that are exposed in a given network environment receive the highest priority. Skybox provides information on how to address these system flaws (whether through software version upgrades, preventing them with IPS signatures, or changing firewall configurations).
To learn more about Skybox Security’s unique vulnerability management method, we invite you to review the manufacturer’s document available here.
Source: www.skyboxsecurity.com
