Cisco Fixes NGA DoS Issue

Thursday, March 9, 2017 @ 05:03 PM gHale


Cisco released updated software to mitigate a vulnerability in the Stream Control Transmission Protocol (SCTP) decoder for its NetFlow Generation Appliances (NGA).

The flaw (CVE-2017-3826) manifests due to incomplete validation of SCTP packets and could cause the device to hang or reload unexpectedly, creating a denial of service (DoS) condition. Cisco released software updates to address this flaw.

RELATED STORIES
Cisco WebEx Vulnerability Fixed, Again
Cisco Patches TelePresence, Expressway Holes
Cisco Fixing WebEx Extension
Cisco Clears Cloud Fault

The vulnerability is due to incomplete validation of SCTP packets monitored on the NGA data ports. An attacker could exploit this vulnerability by sending malformed SCTP packets on a network monitored by an NGA data port. SCTP packets addressed to the IP address of the NGA itself will not trigger this vulnerability.

An exploit could allow an attacker to cause the appliance to become unresponsive or reload, causing a DoS condition. User interaction could end up needed to recover the device using the reboot command from the CLI.

Cisco did release software updates that address this vulnerability. There are, however, no workarounds that address the vulnerability.

Cisco issued an advisory on the issue.

The following Cisco NetFlow Generation Appliances are vulnerable:
• NGA 3140
• NGA 3240
• NGA 3340

Cisco NetFlow Generation Appliance Software can end up downloaded from the Software Center on Cisco.com by navigating to Products > Cloud and Systems Management > Routing and Switching Management > NetFlow Generation 3000 Series Appliances.

There will be no fixed release for the NGA 3140 because that platform reached the end-of-software maintenance milestone January 11, 2014.

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability.



Leave a Reply

You must be logged in to post a comment.