Login Sign Up

CVE-2021-1588

8.6 HIGH
Denial of Service

📋 TL;DR

An unauthenticated remote attacker can send malicious MPLS echo packets to cause a denial of service on vulnerable Cisco NX-OS devices. This vulnerability affects Cisco Nexus switches and MDS switches running affected NX-OS versions with MPLS OAM enabled. The attack causes the device to reload, resulting in network disruption.

💻 Affected Systems

Products:
  • Cisco Nexus 3000 Series Switches
  • Cisco Nexus 9000 Series Switches in NX-OS mode
  • Cisco Nexus 9500 R-Series Line Cards and Fabric Modules
  • Cisco MDS 9000 Series Multilayer Switches
Versions: NX-OS versions prior to 9.3(9), 10.2(4), and specific releases in other trains
Operating Systems: Cisco NX-OS
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when MPLS OAM feature is enabled and device processes MPLS echo packets

📦 What is this software?

Nx Os by Cisco

View all CVEs affecting Nx Os →

Nx Os by Cisco

View all CVEs affecting Nx Os →

Nx Os by Cisco

View all CVEs affecting Nx Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device reload causing extended network outage and service disruption

🟠

Likely Case

Device reload causing temporary network outage until device restarts

🟢

If Mitigated

No impact if MPLS OAM is disabled or device is patched

🌐 Internet-Facing: MEDIUM - Requires MPLS forwarding interface exposure, but MPLS typically internal
🏢 Internal Only: HIGH - Internal attackers can exploit if they reach MPLS interfaces

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Attack requires sending crafted MPLS echo packets to vulnerable interface

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: NX-OS 9.3(9), 10.2(4), and specific releases in other trains

Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-mpls-oam-dos-sGO9x5GM

Restart Required: Yes

Instructions:

1. Check current NX-OS version. 2. Download appropriate fixed version from Cisco. 3. Follow Cisco NX-OS upgrade procedures. 4. Reload device after upgrade.

🔧 Temporary Workarounds

Disable MPLS OAM

cisco-nxos

Disable the MPLS OAM feature to prevent exploitation

configure terminal
no mpls oam

Access Control Lists

cisco-nxos

Implement ACLs to restrict MPLS echo packet access

configure terminal
ip access-list ACL_MPLS_OAM
deny udp any any eq 3503
permit ip any any
interface [interface]
ip access-group ACL_MPLS_OAM in

🧯 If You Can't Patch

  • Disable MPLS OAM feature if not required
  • Implement network segmentation to isolate MPLS interfaces

🔍 How to Verify

Check if Vulnerable:

Check NX-OS version and MPLS OAM configuration status

Check Version:

show version | include NX-OS

Verify Fix Applied:

Verify NX-OS version is patched and device remains stable under MPLS traffic

📡 Detection & Monitoring

Log Indicators:

  • MPLS OAM process crashes
  • Device reload events
  • Unexpected system restarts

Network Indicators:

  • Unusual MPLS echo packet traffic to MPLS interfaces
  • MPLS OAM protocol anomalies

SIEM Query:

source="nxos" AND ("MPLS OAM" OR "reload" OR "crash")

📊 Metadata

CVE ID: CVE-2021-1588
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-126
Published: August 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-1588, you might also want to check these:

CVE-2017-17772 9.8

This vulnerability allows attackers to perform out-of-bounds reads in 802.11 frame processing functi...

Same vulnerability type (CWE-126)
CVE-2023-36397 9.8

This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by ...

Same vulnerability type (CWE-126)
CVE-2021-34584 9.1

CVE-2021-34584 is a buffer over-read vulnerability in the CODESYS V2 web server that allows attacker...

Same vulnerability type (CWE-126)