CVE-2019-1804
📋 TL;DR
A critical vulnerability in Cisco Nexus 9000 Series ACI Mode switches allows unauthenticated remote attackers to gain root access via SSH over IPv6 using a default SSH key pair present in all affected devices. This affects organizations using vulnerable Cisco Nexus 9000 Series switches in ACI Mode. Only IPv6 connections are exploitable; IPv4 is not vulnerable.
💻 Affected Systems
- Cisco Nexus 9000 Series Switches
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the network switch with root privileges, enabling network disruption, data exfiltration, and lateral movement to other systems.
Likely Case
Unauthorized root access to the switch, allowing configuration changes, traffic interception, and persistence on the network.
If Mitigated
Limited impact if IPv6 is disabled or proper network segmentation isolates the switch from untrusted networks.
🎯 Exploit Status
Exploitation requires extracting the default SSH key materials, which are identical across all affected devices, and connecting via IPv6.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.0(1h) and later
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-nexus9k-sshkey
Restart Required: Yes
Instructions:
1. Download the fixed software version from Cisco. 2. Upgrade the switch to version 14.0(1h) or later. 3. Reboot the switch to apply the update.
🔧 Temporary Workarounds
Disable IPv6
allPrevents exploitation by disabling IPv6 connectivity to the switch, as the vulnerability is only exploitable over IPv6.
no ipv6 enable
Restrict SSH Access
allLimit SSH connections to trusted IP addresses using access control lists (ACLs).
ipv6 access-list SSH-ACL
permit ipv6 host <trusted_ip> any
deny ipv6 any any
interface <interface>
ipv6 traffic-filter SSH-ACL in
🧯 If You Can't Patch
- Disable IPv6 on the switch to block the attack vector.
- Implement strict network segmentation to isolate the switch from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check the switch version: 'show version' and verify if it is below 14.0(1h). Also confirm the switch is in ACI Mode.Check Version:
show versionVerify Fix Applied:
After patching, run 'show version' to confirm the version is 14.0(1h) or later. Test SSH access over IPv6 to ensure it is no longer vulnerable.📡 Detection & Monitoring
Log Indicators:
- Unexpected SSH login attempts from unknown IPv6 addresses
- Failed or successful SSH authentication logs showing root access
Network Indicators:
- SSH connections over IPv6 to the switch from untrusted sources
- Unusual network traffic patterns from the switch
SIEM Query:
source="switch_logs" AND (event="SSH login" OR event="authentication") AND (src_ip=IPv6:* AND dest_ip=switch_ip)