cvelistv5 - cve-2021-1389

CVE-2021-1389 (GCVE-0-2021-1389)

Vulnerability from cvelistv5 – Published: 2021-02-04 16:40 – Updated: 2024-11-08 23:52

Summary

Severity ?

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CWE

CWE-284

Assigner

cisco

References

URL

Tags

https://tools.cisco.com/security/center/content/C…

vendor-advisoryx_refsource_CISCO

Impacted products

	Vendor	Product	Version
	Cisco	Cisco IOS XR Software	Affected: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:11:17.022Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20210203 Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-1389",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-08T20:04:30.579821Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-08T23:52:38.395Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cisco IOS XR Software",
          "vendor": "Cisco",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2021-02-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-04T16:40:16",
        "orgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
        "shortName": "cisco"
      },
      "references": [
        {
          "name": "20210203 Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
        }
      ],
      "source": {
        "advisory": "cisco-sa-ipv6-acl-CHgdYk8j",
        "defect": [
          [
            "CSCvm55638",
            "CSCvv45698"
          ]
        ],
        "discovery": "INTERNAL"
      },
      "title": "Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "DATE_PUBLIC": "2021-02-03T16:00:00",
          "ID": "CVE-2021-1389",
          "STATE": "PUBLIC",
          "TITLE": "Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Cisco IOS XR Software",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Cisco"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory."
          }
        ],
        "impact": {
          "cvss": {
            "baseScore": "5.8",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20210203 Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
            }
          ]
        },
        "source": {
          "advisory": "cisco-sa-ipv6-acl-CHgdYk8j",
          "defect": [
            [
              "CSCvm55638",
              "CSCvv45698"
            ]
          ],
          "discovery": "INTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633",
    "assignerShortName": "cisco",
    "cveId": "CVE-2021-1389",
    "datePublished": "2021-02-04T16:40:16.699245Z",
    "dateReserved": "2020-11-13T00:00:00",
    "dateUpdated": "2024-11-08T23:52:38.395Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.6.3\", \"matchCriteriaId\": \"3B76CC85-2825-44F1-BE8A-3F01573BC199\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:cisco:ios_xr:7.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"24DF4040-86A9-46CA-8BAB-04D6016751D5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:cisco:ios_xr:7.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"84BABFE7-1350-4FB0-B9ED-5F08E386BC40\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:ncs_540:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BC7AE6C1-B7C6-4056-9719-B5CFF71970AD\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:ncs_5501:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0A972EFE-4F7E-4BFC-8631-66A2D16B74A3\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:ncs_5501-se:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1B254955-C485-45D7-A19B-E78CE1D997AD\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:ncs_5502:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7F72AEF0-EE70-40F8-B52B-1390820B87BB\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:ncs_5502-se:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"50C7B71A-2559-4E90-BAAA-C6FAAFE35FC3\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:ncs_5508:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"43D21B01-A754-474F-8E46-14D733AB307E\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:ncs_5516:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"17D6424C-972F-459C-B8F7-04FFD9F541BC\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:ncs_560:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D4CC8256-E4F8-4DCB-B69A-40A7C5AA41E8\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:cisco:nx-os:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DA35D4AA-24B3-428E-84ED-804EF941E9A9\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:nexus_3600:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"97217080-455C-48E4-8CE1-6D5B9485864F\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:cisco:nexus_9500_r:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EE07E8D4-376D-4341-A656-F8440368A8A9\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad en el procesamiento del tr\\u00e1fico IPv6 del Software Cisco IOS XR,  y el Software Cisco NX-OS para determinados dispositivos Cisco, podr\\u00eda permitir a un atacante remoto no autenticado omitir una lista de control de acceso (ACL) IPv6 configurada para una interfaz de un dispositivo afectado.\u0026#xa0;La vulnerabilidad es debido al procesamiento inapropiado del tr\\u00e1fico IPv6 que se env\\u00eda por medio de un dispositivo afectado.\u0026#xa0;Un atacante podr\\u00eda explotar esta vulnerabilidad mediante el env\\u00edo de paquetes IPv6 dise\\u00f1ados que atraviesan el dispositivo afectado.\u0026#xa0;Una explotaci\\u00f3n con \\u00e9xito podr\\u00eda permitir al atacante acceder a recursos que normalmente estar\\u00edan protegidos por la interfaz ACL\"}]",
      "id": "CVE-2021-1389",
      "lastModified": "2024-11-21T05:44:14.533",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ykramarz@cisco.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\", \"baseScore\": 5.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 2.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-02-04T17:15:18.937",
      "references": "[{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j\", \"source\": \"ykramarz@cisco.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "ykramarz@cisco.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ykramarz@cisco.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-284\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-1389\",\"sourceIdentifier\":\"psirt@cisco.com\",\"published\":\"2021-02-04T17:15:18.937\",\"lastModified\":\"2024-11-21T05:44:14.533\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el procesamiento del tr\u00e1fico IPv6 del Software Cisco IOS XR,  y el Software Cisco NX-OS para determinados dispositivos Cisco, podr\u00eda permitir a un atacante remoto no autenticado omitir una lista de control de acceso (ACL) IPv6 configurada para una interfaz de un dispositivo afectado.\u0026#xa0;La vulnerabilidad es debido al procesamiento inapropiado del tr\u00e1fico IPv6 que se env\u00eda por medio de un dispositivo afectado.\u0026#xa0;Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de paquetes IPv6 dise\u00f1ados que atraviesan el dispositivo afectado.\u0026#xa0;Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante acceder a recursos que normalmente estar\u00edan protegidos por la interfaz ACL\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\",\"baseScore\":5.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"psirt@cisco.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.6.3\",\"matchCriteriaId\":\"3B76CC85-2825-44F1-BE8A-3F01573BC199\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:cisco:ios_xr:7.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"24DF4040-86A9-46CA-8BAB-04D6016751D5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:cisco:ios_xr:7.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"84BABFE7-1350-4FB0-B9ED-5F08E386BC40\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_540:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC7AE6C1-B7C6-4056-9719-B5CFF71970AD\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5501:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A972EFE-4F7E-4BFC-8631-66A2D16B74A3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5501-se:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B254955-C485-45D7-A19B-E78CE1D997AD\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5502:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F72AEF0-EE70-40F8-B52B-1390820B87BB\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5502-se:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"50C7B71A-2559-4E90-BAAA-C6FAAFE35FC3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5508:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"43D21B01-A754-474F-8E46-14D733AB307E\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_5516:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17D6424C-972F-459C-B8F7-04FFD9F541BC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:ncs_560:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4CC8256-E4F8-4DCB-B69A-40A7C5AA41E8\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:cisco:nx-os:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA35D4AA-24B3-428E-84ED-804EF941E9A9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:nexus_3600:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"97217080-455C-48E4-8CE1-6D5B9485864F\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:cisco:nexus_9500_r:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE07E8D4-376D-4341-A656-F8440368A8A9\"}]}]}],\"references\":[{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j\",\"source\":\"psirt@cisco.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j\", \"name\": \"20210203 Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T16:11:17.022Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-1389\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-08T20:04:30.579821Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-08T20:11:57.338Z\"}}], \"cna\": {\"title\": \"Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability\", \"source\": {\"defect\": [[\"CSCvm55638\", \"CSCvv45698\"]], \"advisory\": \"cisco-sa-ipv6-acl-CHgdYk8j\", \"discovery\": \"INTERNAL\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"Cisco\", \"product\": \"Cisco IOS XR Software\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"exploits\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\"}], \"datePublic\": \"2021-02-03T00:00:00\", \"references\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j\", \"name\": \"20210203 Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability\", \"tags\": [\"vendor-advisory\", \"x_refsource_CISCO\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"CWE-284\"}]}], \"providerMetadata\": {\"orgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"shortName\": \"cisco\", \"dateUpdated\": \"2021-02-04T16:40:16\"}, \"x_legacyV4Record\": {\"impact\": {\"cvss\": {\"version\": \"3.0\", \"baseScore\": \"5.8\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N\"}}, \"source\": {\"defect\": [[\"CSCvm55638\", \"CSCvv45698\"]], \"advisory\": \"cisco-sa-ipv6-acl-CHgdYk8j\", \"discovery\": \"INTERNAL\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"n/a\"}]}, \"product_name\": \"Cisco IOS XR Software\"}]}, \"vendor_name\": \"Cisco\"}]}}, \"exploit\": [{\"lang\": \"en\", \"value\": \"The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.\"}], \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j\", \"name\": \"20210203 Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability\", \"refsource\": \"CISCO\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-284\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2021-1389\", \"STATE\": \"PUBLIC\", \"TITLE\": \"Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability\", \"ASSIGNER\": \"psirt@cisco.com\", \"DATE_PUBLIC\": \"2021-02-03T16:00:00\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2021-1389\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-08T23:52:38.395Z\", \"dateReserved\": \"2020-11-13T00:00:00\", \"assignerOrgId\": \"d1c1063e-7a18-46af-9102-31f8928bc633\", \"datePublished\": \"2021-02-04T16:40:16.699245Z\", \"assignerShortName\": \"cisco\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2021-1389

Vulnerability from fkie_nvd - Published: 2021-02-04 17:15 - Updated: 2024-11-21 05:44

Severity ?

5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

References

	URL	Tags
	psirt@cisco.com	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j	Vendor Advisory

Impacted products

Vendor	Product	Version
cisco	ios_xr	*
cisco	ios_xr	7.1.0
cisco	ios_xr	7.2.0
cisco	ncs_540	-
cisco	ncs_5501	-
cisco	ncs_5501-se	-
cisco	ncs_5502	-
cisco	ncs_5502-se	-
cisco	ncs_5508	-
cisco	ncs_5516	-
cisco	ncs_560	-
cisco	nx-os	-
cisco	nexus_3600	-
cisco	nexus_9500_r	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B76CC85-2825-44F1-BE8A-3F01573BC199",
              "versionEndExcluding": "6.6.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xr:7.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "24DF4040-86A9-46CA-8BAB-04D6016751D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cisco:ios_xr:7.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "84BABFE7-1350-4FB0-B9ED-5F08E386BC40",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:ncs_540:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC7AE6C1-B7C6-4056-9719-B5CFF71970AD",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:ncs_5501:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "0A972EFE-4F7E-4BFC-8631-66A2D16B74A3",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:ncs_5501-se:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B254955-C485-45D7-A19B-E78CE1D997AD",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:ncs_5502:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "7F72AEF0-EE70-40F8-B52B-1390820B87BB",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:ncs_5502-se:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "50C7B71A-2559-4E90-BAAA-C6FAAFE35FC3",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:ncs_5508:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "43D21B01-A754-474F-8E46-14D733AB307E",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:ncs_5516:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "17D6424C-972F-459C-B8F7-04FFD9F541BC",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:ncs_560:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "D4CC8256-E4F8-4DCB-B69A-40A7C5AA41E8",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:cisco:nx-os:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA35D4AA-24B3-428E-84ED-804EF941E9A9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:cisco:nexus_3600:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "97217080-455C-48E4-8CE1-6D5B9485864F",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:cisco:nexus_9500_r:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE07E8D4-376D-4341-A656-F8440368A8A9",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el procesamiento del tr\u00e1fico IPv6 del Software Cisco IOS XR,  y el Software Cisco NX-OS para determinados dispositivos Cisco, podr\u00eda permitir a un atacante remoto no autenticado omitir una lista de control de acceso (ACL) IPv6 configurada para una interfaz de un dispositivo afectado.\u0026#xa0;La vulnerabilidad es debido al procesamiento inapropiado del tr\u00e1fico IPv6 que se env\u00eda por medio de un dispositivo afectado.\u0026#xa0;Un atacante podr\u00eda explotar esta vulnerabilidad mediante el env\u00edo de paquetes IPv6 dise\u00f1ados que atraviesan el dispositivo afectado.\u0026#xa0;Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir al atacante acceder a recursos que normalmente estar\u00edan protegidos por la interfaz ACL"
    }
  ],
  "id": "CVE-2021-1389",
  "lastModified": "2024-11-21T05:44:14.533",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "psirt@cisco.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.5,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-04T17:15:18.937",
  "references": [
    {
      "source": "psirt@cisco.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
    }
  ],
  "sourceIdentifier": "psirt@cisco.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "psirt@cisco.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-Other"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CISCO-SA-IPV6-ACL-CHGDYK8J

Vulnerability from csaf_cisco - Published: 2021-02-03 16:00 - Updated: 2021-02-03 16:00

Summary

Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability

Notes

Summary

A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j ["https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"]

Vulnerable Products

At the time of publication, this vulnerability affected the following Cisco devices if they were running a vulnerable release of Cisco IOS XR Software or Cisco NX-OS Software and had IPv6 ACL configured: Network Convergence System (NCS) 540 Series Routers NCS 560 Series Routers NCS 5500 Series Nexus 3600 Platform Switches Nexus 9500 R-Series Switching Platforms For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the Configuration for Cisco IOS XR Software Use the show running-config | include ipv6 access-list command to view the configured ACLs for IPv6. If this command produces an output, the device should be considered vulnerable. The following example shows the output on a device that has the IPv6 ACL configured: Router# show running-config | include ipv6 access-list ipv6 access-list <acl_name> This does not apply to IPv4 ACLs. Determine the Configuration for Cisco NX-OS Software Use the show ipv6 access-lists command to view the configured ACLs for IPv6. If this command produces an output, the device should be considered vulnerable. The following example shows the output on a device that has the IPv6 ACL configured: Nexus# show ipv6 access-lists IPv6 access list <acl_name> This does not apply to IPv4 ACLs.

Products Confirmed Not Vulnerable

Only products listed in the Vulnerable Products ["#vp"] section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: NCS 520 Series Routers NCS 5000 Series Switches NCS 6000 Series Routers IOS XR SW-only IOS XRv 9000 Routers ASR 9000 Series Aggregation Services Routers Carrier Routing System (CRS) Firepower 1000 Series Firepower 2100 Series Firepower 4100 Series Firepower 9300 Security Appliances MDS 9000 Series Multilayer Switches Nexus 1000 Virtual Edge for VMware vSphere Nexus 1000V Switch for Microsoft Hyper-V Nexus 1000V Switch for VMware vSphere Nexus 3000 Series Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 9000 Series Switches in standalone NX-OS mode Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode UCS 6200 Series Fabric Interconnects UCS 6300 Series Fabric Interconnects UCS 6400 Series Fabric Interconnects

Details

Cisco IOS XR Software After being upgraded to a fixed release of Cisco IOS XR Software, the device is able to detect IPv6 packets that may be improperly processed. Once detected, the device sends these packets to the main CPU for further processing. This activity may result in reduced performance in forwarding IPv6 packets that match specific network traffic patterns. If the device is not configured to perform IPv6 packets classification, administrators can disable the CPU-based inspection for IPv6 packets. The feature can be disabled by using the CLI command hw-module profile acl ipv6 ext-header permit in global configuration mode. Customers should be aware that this action will expose the device to the vulnerability that is described in the advisory, even if the device is running a fixed Cisco IOS XR Software release. The vulnerability described in this advisory only applies to IPv6 packets that traverse an affected device. It does not apply to IPv4 traffic or to IPv6 traffic that is destined for an affected device. Cisco NX-OS Software To protect a device from this vulnerability, administrators must install a fixed release of Cisco NX-OS Software and apply the rule extension-header deny-all to any IPv6 ACL that is configured on the device. A device should be considered vulnerable until the rule extension-header deny-all has been applied to all IPv6 ACLs that are configured on the device, even if it is running a fixed Cisco NX-OS Software release. Beginning with Cisco NX-OS Release 9.3(7), Cisco Nexus 3600 Platform Switches and Cisco Nexus 9500 R-Series Switching Platforms include the rule extension-header {permit-all | deny-all} for the disposition of IPv6 packets that include extension headers. The rule is not enabled by default. With the rule extension-header deny-all configured, the device will drop any IPv6 packet with at least one extension header, regardless of any other IPv6 ACL rules that match other fields of the packet. If the rule extension-header permit-all is configured, then the device is vulnerable. For detailed information about configuring extension-header {permit-all | deny-all}, see the Cisco Nexus 3600 NX-OS Unicast Routing Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/unicast/configuration/guide/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x_chapter_010010.html"] or the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x.html"]. For detailed information about configuring ACLs, see the Cisco Nexus 3600 NX-OS Security Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/security/configuration/guide/b-cisco-nexus-3600-nx-os-security-configuration-guide-93x/b-cisco-nexus-3600-nx-os-security-configuration-guide-93x_chapter_01.html"] or the Cisco Nexus 9000 Series NX-OS Security Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x.html"].

Workarounds

There are no workarounds that address this vulnerability.

Fixed Software

When considering software upgrades ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page ["https://www.cisco.com/go/psirt"], to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases Cisco IOS XR Software At the time of publication, Cisco IOS XR Software releases 6.6.3, 6.7.1, 7.1.1, 7.2.1, and later contained the fix for this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Cisco NX-OS Software After upgrading a device to a fixed release of Cisco NX-OS Software, customers must apply the rule extension-header deny-all to any IPv6 ACL that is configured on the device. The rule is not enabled by default. A device should be considered vulnerable until the rule extension-header deny-all has been applied to all IPv6 ACLs that are configured on the device, even if it is running a fixed Cisco NX-OS Software release. For detailed information about configuring the extension-header deny-all rule, see the Cisco Nexus 3600 NX-OS Unicast Routing Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/unicast/configuration/guide/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x_chapter_010010.html"] or the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide ["https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x.html"]. To help customers determine their exposure to vulnerabilities in Cisco NX-OS Software, Cisco provides the Cisco Software Checker ["https://sec.cloudapps.cisco.com/security/center/softwarechecker.x"] to identify any Cisco Security Advisories that impact a specific Cisco NX-OS Software release and the earliest release that fixes the vulnerabilities that are described in each advisory (“First Fixed”). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (“Combined First Fixed”). Customers can use the Cisco Software Checker ["https://sec.cloudapps.cisco.com/security/center/softwarechecker.x"] to search advisories in the following ways: Choose the software, platform, and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories or one or more specific advisories. Customers can also use the following form to determine whether a release is affected by any Cisco Security Advisory by choosing the Cisco NX-OS Software and platform and then entering a release—for example, 7.0(3)I7(5) for Cisco Nexus 3000 Series Switches or 14.0(1h) for Cisco NX-OS Software in ACI mode: Cisco NX-OS Software Cisco NX-OS Software in ACI Mode MDS 9000 Series Multilayer Switches Nexus 1000V Series Switches Nexus 3000 Series Switches Nexus 5000 Series Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 9000 Series Switches By default, the Cisco Software Checker ["https://sec.cloudapps.cisco.com/security/center/softwarechecker.x"] includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker and check the Medium check box in the drop-down list under Impact Rating when customizing a search.

Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy ["https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

This vulnerability was found during the resolution of a Cisco TAC support case.

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "summary": "This vulnerability was found during the resolution of a Cisco TAC support case."
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "notes": [
      {
        "category": "summary",
        "text": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device.\r\n\r\nThe vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.\r\n\r\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\r\n\r\nThis advisory is available at the following link:\r\nhttps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j [\"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j\"]",
        "title": "Summary"
      },
      {
        "category": "general",
        "text": "At the time of publication, this vulnerability affected the following Cisco devices if they were running a vulnerable release of Cisco IOS XR Software or Cisco NX-OS Software and had IPv6 ACL configured:\r\n\r\nNetwork Convergence System (NCS) 540 Series Routers\r\nNCS 560 Series Routers\r\nNCS 5500 Series\r\nNexus 3600 Platform Switches\r\nNexus 9500 R-Series Switching Platforms\r\n\r\nFor information about which Cisco software releases are vulnerable, see the Fixed Software [\"#fs\"] section of this advisory.\r\n\r\nDetermine the Configuration for Cisco IOS XR Software\r\n\r\nUse the show running-config | include ipv6 access-list command to view the configured ACLs for IPv6. If this command produces an output, the device should be considered vulnerable. The following example shows the output on a device that has the IPv6 ACL configured:\r\n\r\n\r\nRouter# show running-config  | include ipv6 access-list\r\nipv6 access-list \u003cacl_name\u003e\r\n\r\nThis does not apply to IPv4 ACLs.\r\n\r\nDetermine the Configuration for Cisco NX-OS Software\r\n\r\nUse the show ipv6 access-lists command to view the configured ACLs for IPv6. If this command produces an output, the device should be considered vulnerable. The following example shows the output on a device that has the IPv6 ACL configured:\r\n\r\n\r\nNexus# show ipv6 access-lists\r\nIPv6 access list \u003cacl_name\u003e\r\n\r\nThis does not apply to IPv4 ACLs.",
        "title": "Vulnerable Products"
      },
      {
        "category": "general",
        "text": "Only products listed in the Vulnerable Products [\"#vp\"] section of this advisory are known to be affected by this vulnerability.\r\n\r\nCisco has confirmed that this vulnerability does not affect the following Cisco products:\r\n\r\nNCS 520 Series Routers\r\nNCS 5000 Series Switches\r\nNCS 6000 Series Routers\r\nIOS XR SW-only\r\nIOS XRv 9000 Routers\r\nASR 9000 Series Aggregation Services Routers\r\nCarrier Routing System (CRS)\r\nFirepower 1000 Series\r\nFirepower 2100 Series\r\nFirepower 4100 Series\r\nFirepower 9300 Security Appliances\r\nMDS 9000 Series Multilayer Switches\r\nNexus 1000 Virtual Edge for VMware vSphere\r\nNexus 1000V Switch for Microsoft Hyper-V\r\nNexus 1000V Switch for VMware vSphere\r\nNexus 3000 Series Switches\r\nNexus 5500 Platform Switches\r\nNexus 5600 Platform Switches\r\nNexus 6000 Series Switches\r\nNexus 7000 Series Switches\r\nNexus 9000 Series Switches in standalone NX-OS mode\r\nNexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode\r\nUCS 6200 Series Fabric Interconnects\r\nUCS 6300 Series Fabric Interconnects\r\nUCS 6400 Series Fabric Interconnects",
        "title": "Products Confirmed Not Vulnerable"
      },
      {
        "category": "general",
        "text": "Cisco IOS XR Software\r\n\r\nAfter being upgraded to a fixed release of Cisco IOS XR Software, the device is able to detect IPv6 packets that may be improperly processed. Once detected, the device sends these packets to the main CPU for further processing. This activity may result in reduced performance in forwarding IPv6 packets that match specific network traffic patterns.\r\n\r\nIf the device is not configured to perform IPv6 packets classification, administrators can disable the CPU-based inspection for IPv6 packets. The feature can be disabled by using the CLI command hw-module profile acl ipv6 ext-header permit in global configuration mode. Customers should be aware that this action will expose the device to the vulnerability that is described in the advisory, even if the device is running a fixed Cisco IOS XR Software release.\r\n\r\nThe vulnerability described in this advisory only applies to IPv6 packets that traverse an affected device. It does not apply to IPv4 traffic or to IPv6 traffic that is destined for an affected device.\r\n\r\nCisco NX-OS Software\r\n\r\nTo protect a device from this vulnerability, administrators must install a fixed release of Cisco NX-OS Software and apply the rule extension-header deny-all to any IPv6 ACL that is configured on the device. A device should be considered vulnerable until the rule extension-header deny-all has been applied to all IPv6 ACLs that are configured on the device, even if it is running a fixed Cisco NX-OS Software release.\r\n\r\nBeginning with Cisco NX-OS Release 9.3(7), Cisco Nexus 3600 Platform Switches and Cisco Nexus 9500 R-Series Switching Platforms include the rule extension-header {permit-all | deny-all} for the disposition of IPv6 packets that include extension headers. The rule is not enabled by default. With the rule extension-header deny-all configured, the device will drop any IPv6 packet with at least one extension header, regardless of any other IPv6 ACL rules that match other fields of the packet.\r\n\r\nIf the rule extension-header permit-all is configured, then the device is vulnerable.\r\n\r\nFor detailed information about configuring extension-header {permit-all | deny-all}, see the Cisco Nexus 3600 NX-OS Unicast Routing Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/unicast/configuration/guide/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x_chapter_010010.html\"] or the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x.html\"].\r\n\r\nFor detailed information about configuring ACLs, see the Cisco Nexus 3600 NX-OS Security Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/security/configuration/guide/b-cisco-nexus-3600-nx-os-security-configuration-guide-93x/b-cisco-nexus-3600-nx-os-security-configuration-guide-93x_chapter_01.html\"] or the Cisco Nexus 9000 Series NX-OS Security Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x.html\"].",
        "title": "Details"
      },
      {
        "category": "general",
        "text": "There are no workarounds that address this vulnerability.",
        "title": "Workarounds"
      },
      {
        "category": "general",
        "text": "When considering software upgrades [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes\"], customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page [\"https://www.cisco.com/go/psirt\"], to determine exposure and a complete upgrade solution.\r\n\r\nIn all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.\r\n      Fixed Releases\r\nCisco IOS XR Software\r\n\r\nAt the time of publication, Cisco IOS XR Software releases 6.6.3, 6.7.1, 7.1.1, 7.2.1, and later contained the fix for this vulnerability.\r\n\r\nSee the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.\r\n\r\nCisco NX-OS Software\r\n\r\nAfter upgrading a device to a fixed release of Cisco NX-OS Software, customers must apply the rule extension-header deny-all to any IPv6 ACL that is configured on the device. The rule is not enabled by default. A device should be considered vulnerable until the rule extension-header deny-all has been applied to all IPv6 ACLs that are configured on the device, even if it is running a fixed Cisco NX-OS Software release.\r\n\r\nFor detailed information about configuring the extension-header deny-all rule, see the Cisco Nexus 3600 NX-OS Unicast Routing Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/unicast/configuration/guide/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x_chapter_010010.html\"] or the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide [\"https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x.html\"].\r\n\r\nTo help customers determine their exposure to vulnerabilities in Cisco NX-OS Software, Cisco provides the Cisco Software Checker [\"https://sec.cloudapps.cisco.com/security/center/softwarechecker.x\"] to identify any Cisco Security Advisories that impact a specific Cisco NX-OS Software release and the earliest release that fixes the vulnerabilities that are described in each advisory (\u201cFirst Fixed\u201d). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified (\u201cCombined First Fixed\u201d).\r\n\r\nCustomers can use the Cisco Software Checker [\"https://sec.cloudapps.cisco.com/security/center/softwarechecker.x\"] to search advisories in the following ways:\r\n\r\nChoose the software, platform, and one or more releases\r\nUpload a .txt file that includes a list of specific releases\r\nEnter the output of the show version command\r\n\r\nAfter initiating a search, customers can customize the search to include all Cisco Security Advisories or one or more specific advisories.\r\n\r\nCustomers can also use the following form to determine whether a release is affected by any Cisco Security Advisory by choosing the Cisco NX-OS Software and platform and then entering a release\u2014for example, 7.0(3)I7(5) for Cisco Nexus 3000 Series Switches or 14.0(1h) for Cisco NX-OS Software in ACI mode:\r\n    Cisco NX-OS Software  Cisco NX-OS Software in ACI Mode    MDS 9000 Series Multilayer Switches  Nexus 1000V Series Switches  Nexus 3000 Series Switches  Nexus 5000 Series Switches  Nexus 6000 Series Switches  Nexus 7000 Series Switches  Nexus 9000 Series Switches\r\n\r\n\r\n\r\n\r\nBy default, the Cisco Software Checker [\"https://sec.cloudapps.cisco.com/security/center/softwarechecker.x\"] includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker and check the Medium check box in the drop-down list under Impact Rating when customizing a search.",
        "title": "Fixed Software"
      },
      {
        "category": "general",
        "text": "To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy [\"https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html\"]. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.",
        "title": "Vulnerability Policy"
      },
      {
        "category": "general",
        "text": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.",
        "title": "Exploitation and Public Announcements"
      },
      {
        "category": "general",
        "text": "This vulnerability was found during the resolution of a Cisco TAC support case.",
        "title": "Source"
      },
      {
        "category": "legal_disclaimer",
        "text": "THIS DOCUMENT IS PROVIDED ON AN \"AS IS\" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.\r\n\r\nA standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.",
        "title": "Legal Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "Emergency Support:\r\n+1 877 228 7302 (toll-free within North America)\r\n+1 408 525 6532 (International direct-dial)\r\nNon-emergency Support:\r\nEmail: psirt@cisco.com\r\nSupport requests that are received via e-mail are typically acknowledged within 48 hours.",
      "issuing_authority": "Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.\r\nMore information can be found in Cisco Security Vulnerability Policy available at https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html",
      "name": "Cisco",
      "namespace": "https://wwww.cisco.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
      },
      {
        "category": "external",
        "summary": "Cisco Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      },
      {
        "category": "external",
        "summary": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j",
        "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Nexus 3600 NX-OS Unicast Routing Configuration Guide",
        "url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/unicast/configuration/guide/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x_chapter_010010.html"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Nexus 9000 Series NX-OS Unicast Routing Configuration Guide",
        "url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x.html"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Nexus 3600 NX-OS Security Configuration Guide",
        "url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/security/configuration/guide/b-cisco-nexus-3600-nx-os-security-configuration-guide-93x/b-cisco-nexus-3600-nx-os-security-configuration-guide-93x_chapter_01.html"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Nexus 9000 Series NX-OS Security Configuration Guide",
        "url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x.html"
      },
      {
        "category": "external",
        "summary": "considering software upgrades",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html#fixes"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Security Advisories page",
        "url": "https://www.cisco.com/go/psirt"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Nexus 3600 NX-OS Unicast Routing Configuration Guide",
        "url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3600/sw/93x/unicast/configuration/guide/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x/b-cisco-nexus-3600-nx-os-unicast-routing-configuration-guide-93x_chapter_010010.html"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Nexus 9000 Series NX-OS Unicast Routing Configuration Guide",
        "url": "https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/unicast/configuration/guide/b-cisco-nexus-9000-series-nx-os-unicast-routing-configuration-guide-93x.html"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Software Checker",
        "url": "https://sec.cloudapps.cisco.com/security/center/softwarechecker.x"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Software Checker",
        "url": "https://sec.cloudapps.cisco.com/security/center/softwarechecker.x"
      },
      {
        "category": "external",
        "summary": "Cisco\u0026nbsp;Software Checker",
        "url": "https://sec.cloudapps.cisco.com/security/center/softwarechecker.x"
      },
      {
        "category": "external",
        "summary": "Security Vulnerability Policy",
        "url": "https://sec.cloudapps.cisco.com/security/center/resources/security_vulnerability_policy.html"
      }
    ],
    "title": "Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability",
    "tracking": {
      "current_release_date": "2021-02-03T16:00:00+00:00",
      "generator": {
        "date": "2022-10-22T03:04:46+00:00",
        "engine": {
          "name": "TVCE"
        }
      },
      "id": "cisco-sa-ipv6-acl-CHgdYk8j",
      "initial_release_date": "2021-02-03T16:00:00+00:00",
      "revision_history": [
        {
          "date": "2021-01-27T20:18:58+00:00",
          "number": "1.0.0",
          "summary": "Initial public release."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_family",
            "name": "Cisco IOS XR Software",
            "product": {
              "name": "Cisco IOS XR Software ",
              "product_id": "CSAFPID-5834"
            }
          },
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "service_pack",
                    "name": "7.0(3)F3(1)",
                    "product": {
                      "name": "7.0(3)F3(1)",
                      "product_id": "CSAFPID-239632"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "7.0(3)F3(2)",
                    "product": {
                      "name": "7.0(3)F3(2)",
                      "product_id": "CSAFPID-239633"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "7.0(3)F3(3)",
                    "product": {
                      "name": "7.0(3)F3(3)",
                      "product_id": "CSAFPID-239634"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "7.0(3)F3(3a)",
                    "product": {
                      "name": "7.0(3)F3(3a)",
                      "product_id": "CSAFPID-239635"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "7.0(3)F3(4)",
                    "product": {
                      "name": "7.0(3)F3(4)",
                      "product_id": "CSAFPID-239636"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "7.0(3)F3(3c)",
                    "product": {
                      "name": "7.0(3)F3(3c)",
                      "product_id": "CSAFPID-248790"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "7.0(3)F3(5)",
                    "product": {
                      "name": "7.0(3)F3(5)",
                      "product_id": "CSAFPID-256529"
                    }
                  }
                ],
                "category": "product_version",
                "name": "7.0(3)F3"
              },
              {
                "branches": [
                  {
                    "category": "service_pack",
                    "name": "9.2(1)",
                    "product": {
                      "name": "9.2(1)",
                      "product_id": "CSAFPID-248793"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.2(2)",
                    "product": {
                      "name": "9.2(2)",
                      "product_id": "CSAFPID-265141"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.2(2t)",
                    "product": {
                      "name": "9.2(2t)",
                      "product_id": "CSAFPID-265142"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.2(3)",
                    "product": {
                      "name": "9.2(3)",
                      "product_id": "CSAFPID-265143"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.2(3y)",
                    "product": {
                      "name": "9.2(3y)",
                      "product_id": "CSAFPID-265144"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.2(4)",
                    "product": {
                      "name": "9.2(4)",
                      "product_id": "CSAFPID-267105"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.2(2v)",
                    "product": {
                      "name": "9.2(2v)",
                      "product_id": "CSAFPID-268971"
                    }
                  }
                ],
                "category": "product_version",
                "name": "9.2"
              },
              {
                "branches": [
                  {
                    "category": "service_pack",
                    "name": "9.3(1)",
                    "product": {
                      "name": "9.3(1)",
                      "product_id": "CSAFPID-265568"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.3(2)",
                    "product": {
                      "name": "9.3(2)",
                      "product_id": "CSAFPID-271405"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.3(3)",
                    "product": {
                      "name": "9.3(3)",
                      "product_id": "CSAFPID-274557"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.3(1z)",
                    "product": {
                      "name": "9.3(1z)",
                      "product_id": "CSAFPID-276381"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.3(4)",
                    "product": {
                      "name": "9.3(4)",
                      "product_id": "CSAFPID-277347"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.3(5)",
                    "product": {
                      "name": "9.3(5)",
                      "product_id": "CSAFPID-278882"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "9.3(5w)",
                    "product": {
                      "name": "9.3(5w)",
                      "product_id": "CSAFPID-280940"
                    }
                  }
                ],
                "category": "product_version",
                "name": "9.3"
              },
              {
                "branches": [
                  {
                    "category": "service_pack",
                    "name": "10.2(3v)",
                    "product": {
                      "name": "10.2(3v)",
                      "product_id": "CSAFPID-300117"
                    }
                  }
                ],
                "category": "product_version",
                "name": "10.2"
              },
              {
                "branches": [
                  {
                    "category": "service_pack",
                    "name": "10.3(99w)",
                    "product": {
                      "name": "10.3(99w)",
                      "product_id": "CSAFPID-299969"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(3w)",
                    "product": {
                      "name": "10.3(3w)",
                      "product_id": "CSAFPID-300516"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(99x)",
                    "product": {
                      "name": "10.3(99x)",
                      "product_id": "CSAFPID-300517"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(3o)",
                    "product": {
                      "name": "10.3(3o)",
                      "product_id": "CSAFPID-300741"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(3p)",
                    "product": {
                      "name": "10.3(3p)",
                      "product_id": "CSAFPID-300942"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(3q)",
                    "product": {
                      "name": "10.3(3q)",
                      "product_id": "CSAFPID-301106"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(3x)",
                    "product": {
                      "name": "10.3(3x)",
                      "product_id": "CSAFPID-301289"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(4g)",
                    "product": {
                      "name": "10.3(4g)",
                      "product_id": "CSAFPID-301720"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(3r)",
                    "product": {
                      "name": "10.3(3r)",
                      "product_id": "CSAFPID-302643"
                    }
                  },
                  {
                    "category": "service_pack",
                    "name": "10.3(4h)",
                    "product": {
                      "name": "10.3(4h)",
                      "product_id": "CSAFPID-302884"
                    }
                  }
                ],
                "category": "product_version",
                "name": "10.3"
              }
            ],
            "category": "product_family",
            "name": "Cisco NX-OS Software"
          },
          {
            "category": "product_name",
            "name": "Cisco Nexus 3000 Series Switches",
            "product": {
              "name": "Cisco Nexus 3000 Series Switches",
              "product_id": "CSAFPID-265091"
            }
          },
          {
            "category": "product_name",
            "name": "Cisco Nexus 9000 Series Switches",
            "product": {
              "name": "Cisco Nexus 9000 Series Switches",
              "product_id": "CSAFPID-265096"
            }
          }
        ],
        "category": "vendor",
        "name": "Cisco"
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(1) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-239632:265091"
        },
        "product_reference": "CSAFPID-239632",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(1) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-239632:265096"
        },
        "product_reference": "CSAFPID-239632",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(2) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-239633:265091"
        },
        "product_reference": "CSAFPID-239633",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(3) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-239634:265091"
        },
        "product_reference": "CSAFPID-239634",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(3) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-239634:265096"
        },
        "product_reference": "CSAFPID-239634",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(3a) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-239635:265091"
        },
        "product_reference": "CSAFPID-239635",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(3a) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-239635:265096"
        },
        "product_reference": "CSAFPID-239635",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(4) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-239636:265091"
        },
        "product_reference": "CSAFPID-239636",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(4) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-239636:265096"
        },
        "product_reference": "CSAFPID-239636",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(3c) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-248790:265091"
        },
        "product_reference": "CSAFPID-248790",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(3c) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-248790:265096"
        },
        "product_reference": "CSAFPID-248790",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(5) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-256529:265091"
        },
        "product_reference": "CSAFPID-256529",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 7.0(3)F3(5) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-256529:265096"
        },
        "product_reference": "CSAFPID-256529",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(1) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-248793:265091"
        },
        "product_reference": "CSAFPID-248793",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(1) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-248793:265096"
        },
        "product_reference": "CSAFPID-248793",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(2) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-265141:265091"
        },
        "product_reference": "CSAFPID-265141",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(2) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-265141:265096"
        },
        "product_reference": "CSAFPID-265141",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(2t) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-265142:265091"
        },
        "product_reference": "CSAFPID-265142",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(3) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-265143:265091"
        },
        "product_reference": "CSAFPID-265143",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(3) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-265143:265096"
        },
        "product_reference": "CSAFPID-265143",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(3y) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-265144:265091"
        },
        "product_reference": "CSAFPID-265144",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(3y) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-265144:265096"
        },
        "product_reference": "CSAFPID-265144",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(4) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-267105:265091"
        },
        "product_reference": "CSAFPID-267105",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(4) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-267105:265096"
        },
        "product_reference": "CSAFPID-267105",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.2(2v) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-268971:265091"
        },
        "product_reference": "CSAFPID-268971",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(1) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-265568:265091"
        },
        "product_reference": "CSAFPID-265568",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(1) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-265568:265096"
        },
        "product_reference": "CSAFPID-265568",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(2) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-271405:265091"
        },
        "product_reference": "CSAFPID-271405",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(2) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-271405:265096"
        },
        "product_reference": "CSAFPID-271405",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(3) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-274557:265091"
        },
        "product_reference": "CSAFPID-274557",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(3) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-274557:265096"
        },
        "product_reference": "CSAFPID-274557",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(1z) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-276381:265096"
        },
        "product_reference": "CSAFPID-276381",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(4) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-277347:265091"
        },
        "product_reference": "CSAFPID-277347",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(4) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-277347:265096"
        },
        "product_reference": "CSAFPID-277347",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(5) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-278882:265091"
        },
        "product_reference": "CSAFPID-278882",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(5) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-278882:265096"
        },
        "product_reference": "CSAFPID-278882",
        "relates_to_product_reference": "CSAFPID-265096"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(5w) when installed on Cisco Nexus 3000 Series Switches",
          "product_id": "CSAFPID-280940:265091"
        },
        "product_reference": "CSAFPID-280940",
        "relates_to_product_reference": "CSAFPID-265091"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Cisco NX-OS Software 9.3(5w) when installed on Cisco Nexus 9000 Series Switches",
          "product_id": "CSAFPID-280940:265096"
        },
        "product_reference": "CSAFPID-280940",
        "relates_to_product_reference": "CSAFPID-265096"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-1389",
      "ids": [
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCvm55638"
        },
        {
          "system_name": "Cisco Bug ID",
          "text": "CSCvv45698"
        }
      ],
      "notes": [
        {
          "category": "other",
          "text": "Complete.",
          "title": "Affected Product Comprehensiveness"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-5834",
          "CSAFPID-239632:265091",
          "CSAFPID-239632:265096",
          "CSAFPID-239633:265091",
          "CSAFPID-239634:265091",
          "CSAFPID-239634:265096",
          "CSAFPID-239635:265091",
          "CSAFPID-239635:265096",
          "CSAFPID-239636:265091",
          "CSAFPID-239636:265096",
          "CSAFPID-248790:265091",
          "CSAFPID-248790:265096",
          "CSAFPID-248793:265091",
          "CSAFPID-248793:265096",
          "CSAFPID-256529:265091",
          "CSAFPID-256529:265096",
          "CSAFPID-265141:265091",
          "CSAFPID-265141:265096",
          "CSAFPID-265142:265091",
          "CSAFPID-265143:265091",
          "CSAFPID-265143:265096",
          "CSAFPID-265144:265091",
          "CSAFPID-265144:265096",
          "CSAFPID-265568:265091",
          "CSAFPID-265568:265096",
          "CSAFPID-267105:265091",
          "CSAFPID-267105:265096",
          "CSAFPID-268971:265091",
          "CSAFPID-271405:265091",
          "CSAFPID-271405:265096",
          "CSAFPID-274557:265091",
          "CSAFPID-274557:265096",
          "CSAFPID-276381:265096",
          "CSAFPID-277347:265091",
          "CSAFPID-277347:265096",
          "CSAFPID-278882:265091",
          "CSAFPID-278882:265096",
          "CSAFPID-280940:265091",
          "CSAFPID-280940:265096",
          "CSAFPID-299969",
          "CSAFPID-300117",
          "CSAFPID-300516",
          "CSAFPID-300517",
          "CSAFPID-300741",
          "CSAFPID-300942",
          "CSAFPID-301106",
          "CSAFPID-301289",
          "CSAFPID-301720",
          "CSAFPID-302643",
          "CSAFPID-302884"
        ]
      },
      "release_date": "2021-02-03T16:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Cisco has released software updates that address this vulnerability.",
          "product_ids": [
            "CSAFPID-239632:265091",
            "CSAFPID-239632:265096",
            "CSAFPID-239633:265091",
            "CSAFPID-239634:265091",
            "CSAFPID-239634:265096",
            "CSAFPID-239635:265091",
            "CSAFPID-239635:265096",
            "CSAFPID-239636:265091",
            "CSAFPID-239636:265096",
            "CSAFPID-248790:265091",
            "CSAFPID-248790:265096",
            "CSAFPID-248793:265091",
            "CSAFPID-248793:265096",
            "CSAFPID-256529:265091",
            "CSAFPID-256529:265096",
            "CSAFPID-265141:265091",
            "CSAFPID-265141:265096",
            "CSAFPID-265142:265091",
            "CSAFPID-265143:265091",
            "CSAFPID-265143:265096",
            "CSAFPID-265144:265091",
            "CSAFPID-265144:265096",
            "CSAFPID-265568:265091",
            "CSAFPID-265568:265096",
            "CSAFPID-267105:265091",
            "CSAFPID-267105:265096",
            "CSAFPID-268971:265091",
            "CSAFPID-271405:265091",
            "CSAFPID-271405:265096",
            "CSAFPID-274557:265091",
            "CSAFPID-274557:265096",
            "CSAFPID-276381:265096",
            "CSAFPID-277347:265091",
            "CSAFPID-277347:265096",
            "CSAFPID-278882:265091",
            "CSAFPID-278882:265096",
            "CSAFPID-280940:265091",
            "CSAFPID-280940:265096",
            "CSAFPID-299969",
            "CSAFPID-300117",
            "CSAFPID-300516",
            "CSAFPID-300517",
            "CSAFPID-300741",
            "CSAFPID-300942",
            "CSAFPID-301106",
            "CSAFPID-301289",
            "CSAFPID-301720",
            "CSAFPID-302643",
            "CSAFPID-302884",
            "CSAFPID-5834"
          ],
          "url": "https://software.cisco.com"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-5834",
            "CSAFPID-239632:265091",
            "CSAFPID-239632:265096",
            "CSAFPID-239633:265091",
            "CSAFPID-239634:265091",
            "CSAFPID-239634:265096",
            "CSAFPID-239635:265091",
            "CSAFPID-239635:265096",
            "CSAFPID-239636:265091",
            "CSAFPID-239636:265096",
            "CSAFPID-248790:265091",
            "CSAFPID-248790:265096",
            "CSAFPID-248793:265091",
            "CSAFPID-248793:265096",
            "CSAFPID-256529:265091",
            "CSAFPID-256529:265096",
            "CSAFPID-265141:265091",
            "CSAFPID-265141:265096",
            "CSAFPID-265142:265091",
            "CSAFPID-265143:265091",
            "CSAFPID-265143:265096",
            "CSAFPID-265144:265091",
            "CSAFPID-265144:265096",
            "CSAFPID-265568:265091",
            "CSAFPID-265568:265096",
            "CSAFPID-267105:265091",
            "CSAFPID-267105:265096",
            "CSAFPID-268971:265091",
            "CSAFPID-271405:265091",
            "CSAFPID-271405:265096",
            "CSAFPID-274557:265091",
            "CSAFPID-274557:265096",
            "CSAFPID-276381:265096",
            "CSAFPID-277347:265091",
            "CSAFPID-277347:265096",
            "CSAFPID-278882:265091",
            "CSAFPID-278882:265096",
            "CSAFPID-280940:265091",
            "CSAFPID-280940:265096",
            "CSAFPID-299969",
            "CSAFPID-300117",
            "CSAFPID-300516",
            "CSAFPID-300517",
            "CSAFPID-300741",
            "CSAFPID-300942",
            "CSAFPID-301106",
            "CSAFPID-301289",
            "CSAFPID-301720",
            "CSAFPID-302643",
            "CSAFPID-302884"
          ]
        }
      ],
      "title": "Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability"
    }
  ]
}

GHSA-R95G-CCC3-R2M4

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-09-21 00:00

Details

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-1389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-04T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.",
  "id": "GHSA-r95g-ccc3-r2m4",
  "modified": "2022-09-21T00:00:42Z",
  "published": "2022-05-24T17:41:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1389"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2021-1389

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-1389

Aliases

CVE-2021-1389

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-1389",
    "description": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.",
    "id": "GSD-2021-1389"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-1389"
      ],
      "details": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL.",
      "id": "GSD-2021-1389",
      "modified": "2023-12-13T01:23:22.140993Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@cisco.com",
        "DATE_PUBLIC": "2021-02-03T16:00:00",
        "ID": "CVE-2021-1389",
        "STATE": "PUBLIC",
        "TITLE": "Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Cisco IOS XR Software ",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Cisco"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL."
          }
        ]
      },
      "exploit": [
        {
          "lang": "eng",
          "value": "The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. "
        }
      ],
      "impact": {
        "cvss": {
          "baseScore": "5.8",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N ",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-284"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "20210203 Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability",
            "refsource": "CISCO",
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
          }
        ]
      },
      "source": {
        "advisory": "cisco-sa-ipv6-acl-CHgdYk8j",
        "defect": [
          [
            "CSCvm55638",
            "CSCvv45698"
          ]
        ],
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:ios_xr:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "6.6.3",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:ios_xr:7.2.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:ios_xr:7.1.0:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:ncs_540:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:ncs_560:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:ncs_5501:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:ncs_5501-se:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:ncs_5502:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:ncs_5502-se:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:ncs_5508:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:ncs_5516:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          },
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:cisco:nx-os:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:nexus_9500_r:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:cisco:nexus_3600:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@cisco.com",
          "ID": "CVE-2021-1389"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability in the IPv6 traffic processing of Cisco IOS XR Software and Cisco NX-OS Software for certain Cisco devices could allow an unauthenticated, remote attacker to bypass an IPv6 access control list (ACL) that is configured for an interface of an affected device. The vulnerability is due to improper processing of IPv6 traffic that is sent through an affected device. An attacker could exploit this vulnerability by sending crafted IPv6 packets that traverse the affected device. A successful exploit could allow the attacker to access resources that would typically be protected by the interface ACL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-Other"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20210203 Cisco IOS XR and Cisco NX-OS Software IPv6 Access Control List Bypass Vulnerability",
              "refsource": "CISCO",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.5
        }
      },
      "lastModifiedDate": "2022-09-20T17:03Z",
      "publishedDate": "2021-02-04T17:15Z"
    }
  }
}

CNVD-2021-102369

Vulnerability from cnvd - Published: 2021-12-27

Title

Cisco IOS XR and Cisco NX-OS Software访问控制错误漏洞

Description

Cisco NX-OS Software和Cisco IOS XR都是美国思科（Cisco）公司的产品。Cisco NX-OS Software是一套交换机使用的数据中心级操作系统软件。Cisco IOS XR是一套为其网络设备开发的操作系统。 Cisco IOS XR and Cisco NX-OS Software存在访问控制错误漏洞，攻击者可利用该漏洞访问通常受接口ACL保护的资源。

Severity

中

Patch Name

Cisco IOS XR and Cisco NX-OS Software访问控制错误漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-1389

Impacted products

Name
['Cisco IOS XR', 'Cisco NX-OS Software']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-1389",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-1389"
    }
  },
  "description": "Cisco NX-OS Software\u548cCisco IOS XR\u90fd\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Cisco NX-OS Software\u662f\u4e00\u5957\u4ea4\u6362\u673a\u4f7f\u7528\u7684\u6570\u636e\u4e2d\u5fc3\u7ea7\u64cd\u4f5c\u7cfb\u7edf\u8f6f\u4ef6\u3002Cisco IOS XR\u662f\u4e00\u5957\u4e3a\u5176\u7f51\u7edc\u8bbe\u5907\u5f00\u53d1\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\n\nCisco IOS XR and Cisco NX-OS Software\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u901a\u5e38\u53d7\u63a5\u53e3ACL\u4fdd\u62a4\u7684\u8d44\u6e90\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipv6-acl-CHgdYk8j",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-102369",
  "openTime": "2021-12-27",
  "patchDescription": "Cisco NX-OS Software\u548cCisco IOS XR\u90fd\u662f\u7f8e\u56fd\u601d\u79d1\uff08Cisco\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002Cisco NX-OS Software\u662f\u4e00\u5957\u4ea4\u6362\u673a\u4f7f\u7528\u7684\u6570\u636e\u4e2d\u5fc3\u7ea7\u64cd\u4f5c\u7cfb\u7edf\u8f6f\u4ef6\u3002Cisco IOS XR\u662f\u4e00\u5957\u4e3a\u5176\u7f51\u7edc\u8bbe\u5907\u5f00\u53d1\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nCisco IOS XR and Cisco NX-OS Software\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8bbf\u95ee\u901a\u5e38\u53d7\u63a5\u53e3ACL\u4fdd\u62a4\u7684\u8d44\u6e90\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cisco IOS XR and Cisco NX-OS Software\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Cisco IOS XR",
      "Cisco NX-OS Software"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-1389",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-04",
  "title": "Cisco IOS XR and Cisco NX-OS Software\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-1389 (GCVE-0-2021-1389)

FKIE_CVE-2021-1389

CISCO-SA-IPV6-ACL-CHGDYK8J

GHSA-R95G-CCC3-R2M4

GSD-2021-1389

CNVD-2021-102369

Tags

Sightings

Nomenclature