Cisco NX-OS Software 802.1X Extensible Authentication Protocol over LAN Denial of Service Vulnerability

Vulnerability

The vulnerability (CVE-2019-1594) resides in the 802.1X implementation for Cisco NX-OS Software. It is caused by incomplete input validation of Extensible Authentication Protocol over LAN (EAPOL) frames. An unauthenticated, adjacent attacker can trigger a denial of service (DoS) condition. The affected products include Cisco Nexus 1000V Switch for VMware vSphere (versions prior to 5.2(1)SV3(1.4b)), Nexus 3000 Series (prior to 7.0(3)I7(4)), Nexus 3500 Platform (prior to 7.0(3)I7(4)), Nexus 2000, 5500, 5600, and 6000 Series (prior to 7.3(5)N1(1) and 7.1(5)N1(1b)), Nexus 7000 and 7700 Series (prior to 8.2(3)), Nexus 9000 Series Fabric Switches in ACI Mode (prior to 13.2(1l)), and Nexus 9000 Series in Standalone NX-OS Mode (prior to 7.0(3)I7(4)). The vulnerability only affects devices with 802.1X functionality enabled [1].

Exploitation

An attacker must be adjacent (i.e., within the same Layer 2 broadcast domain) to the targeted device and does not require authentication. The exploit involves sending a single crafted EAPOL frame to an interface on the affected switch. The incorrect parsing of this frame causes the Layer 2 (L2) forwarding process to restart repeatedly, leading to a system-level restart [1].

Impact

Successful exploitation results in a denial of service (DoS) condition, as the device experiences repeated process restarts and may fully reboot. This causes network disruption while the switch is unavailable. The attacker does not gain any elevated privileges or access to data; the impact is purely availability [1].

Mitigation

Cisco has released fixed software versions for all affected products as listed in the advisory. Customers should upgrade to the appropriate fixed release for their platform. No workarounds are available, and the fix is included in regular software maintenance releases. The vulnerability is not known to be in the CISA KEV catalog [1].