Skip to main content

Cisco has published advisory for three high severity and one medium severity vulnerability. Successful exploitation of the vulnerabilities could take over the vulnerable Cisco appliances. The flaws CVE-2022-20623 with a base score of 8.6 is the second most critical vulnerability after CVE-2022-20650 among the four, which allows an unauthenticated, remote attacker to cause BFD traffic to be dropped on an affected device. We recommend all the Cisco Switch owners of Nexus 9000 Series to read this post that tells how to fix CVE-2022-20623- A Denial of Service Vulnerability in Cisco Nexus 9000 Series Switches.


List Of Other Vulnerabilities Disclosed In Cisco Switches Are:

  1. CVE-2022-20650
  2. CVE-2022-20623
  3. CVE-2022-20624
  4. CVE-2022-20625

Summary Of CVE-2022-20623:

This is the second most critical vulnerability on the list. This vulnerability allows unauthenticated, remote attackers to cause BFD traffic to be dropped on an affected device. The flaw is due to a design level issue in the BFD rate limiter functionality.

Cisco says, “A successful exploit could allow the attacker to cause BFD traffic to be dropped, resulting in BFD session flaps. BFD session flaps can cause route instability and dropped traffic, resulting in a denial of service (DoS) condition” in its advisory.

The flaw can be exploited by sending a crafted stream of traffic through the device. The vendor also said that the vulnerability is prone to both IPv4 and IPv6 streams of traffic.

Cisco Switches Affected By CVE-2022-20623:

The flaw affects Cisco Nexus 9200, 9300, and 9500 Series Switch models running standalone NX-OS mode with the following conditions.

  • The device is running a vulnerable version of Cisco NX-OS Software.
  • The device has the BFD feature enabled (BFD is disabled by default).
  • The device has a Cisco Cloud Scale ASIC installed.

Cisco Nexus 9200 and 9300 Platform Switches from software release 7.0(3)I6(2) to 7.0(3)I7(3) are vulnerable to the CVE-2022-20623 vulnerability.

Cisco Nexus 9500 Series Switches from software release 7.0(3)I6(2) to 9.3(8) and from 10.1(1) to 10.2(1) are vulnerable to the CVE-2022-20623 vulnerability.

List of Cisco Cloud Scale ASIC list of PIDs:

  • N9K-C92160YC-X
  • N9K-C92300YC
  • N9K-C92304QC
  • N9K-C9232C
  • N9K-C92348GC-X
  • N9K-C9236C
  • N9K-C9272Q
  • N9K-C93108TC-EX
  • N9K-C93108TC-FX
  • N9K-C9316D-GX
  • N9K-C93180LC-EX
  • N9K-C93180YC2-FX
  • N9K-C93180YC-EX
  • N9K-C93180YC-FX
  • N9K-C93216TC-FX2
  • N9K-C93240YC-FX2
  • N9K-C9332C
  • N9K-C93360YC-FX2
  • N9K-C9336C-FX2
  • N9K-C9348GC-FXP
  • N9K-C93600CD-GX
  • N9K-C9364C
  • N9K-C9364C-GX
  • N9K-X97160YC-EX
  • N9K-X97284YC-FX
  • N9K-X9732C-EX
  • N9K-X9732C-FX
  • N9K-X9736C-EX
  • N9K-X9736C-FX
  • N9K-X9788TC-FX

You can track the Cisco Cloud Scale ASIC list of PIDs from this advisory.

Cisco Switcher Not-affected By CVE-2022-20623:

Cisco clearly says that these models are safe and not affected by the CVE-2022-20623 flaw. Owners of these models can ignore the vulnerability.

  • Firepower 1000 Series
  • Firepower 2100 Series
  • Firepower 4100 Series
  • Firepower 9300 Security Appliances
  • MDS 9000 Series Multilayer Switches
  • Nexus 1000 Virtual Edge for VMware vSphere
  • Nexus 1000V Switch for Microsoft Hyper-V
  • Nexus 1000V Switch for VMware vSphere
  • Nexus 3000 Series Switches
  • Nexus 5500 Platform Switches
  • Nexus 5600 Platform Switches
  • Nexus 6000 Series Switches
  • Nexus 7000 Series Switches
  • Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode
  • UCS 6200 Series Fabric Interconnects
  • UCS 6300 Series Fabric Interconnects
  • UCS 6400 Series Fabric Interconnects


How To Say Your Cisco Nexus Switch Vulnerable?

Checking the PID information of the device is the best possible way to check the device is vulnerable. Run the show module command as an Admin on the CLI to view the PID information.

In this example, the device is vulnerable since its PID is N9K-C93180LC-EX.

nxos# show module
Mod Ports              Module-Type                Model              Status
--- ----- ------------------------------------- --------------------- ---------
1    54  48x1/10GT + 6x40G/100G Ethernet Modul    N9K-C93180LC-EX    active *

How To Say Your Cisco Nexus Switch Is Compromised?

The best way to check your Cisco device is compromised to check the amount of dropped BFD frames in the device. Run the show hardware rate-limiter bfd command on the CLI of the device to check the dropped BFD frames. If you have any queries on this, please contact the Cisco TAC for further assistance.

nxos# show hardware rate-limiter bfd
Units for Config: kilo bits per second
Allowed, Dropped & Total: aggregated bytes since last clear counters
Module: 1
R-L Class Config Allowed Dropped Total
bfd 10000 640840 5484530000 5485170840

How To Fix CVE-2022-20623- A Denial Of Service Vulnerability In Cisco Nexus 9000 Series Switches?

The CVE-2022-20623 vulnerability is in the rate limiter for Bidirectional Forwarding Detection (BFD) traffic of Cisco NX-OS Software of the Cisco Nexus 9000 Series Switches. The attackers can only exploit the devices on which the BFD feature is enabled and at least one BFD session is active on the device. So the device is vulnerable if there is a BFD session in UP state.

Run show feature | include bfd command to check the state of the BFD feature and run show bfd session command to check the state of the BFD sessions on the devices.

nxos# show feature | include bfd
bfd 1 enabled

nxos# show bfd session
Interface          Dest Addr          Local det time(int*mult)      State
------------------ --------------- ---------------- ---------------- ----------
Te0/0/1/0      300ms(100ms*3)  6s(2s*3)        UP

The best and quick solution could be disabling the BFD traffic on the devices. However, it depends on various factors. Please make sure that disabling BFD doesn’t make any discrepancies in the network. We recommend all the users of the affected devices update the Cisco NS-OS to the latest available version as Cisco has acknowledged the vulnerability by releasing the free software updates


Leave a Reply