CVE-2023-20168
📋 TL;DR
An unauthenticated local attacker can cause Cisco NX-OS devices to crash and reload by entering a crafted string at the login prompt when TACACS+ or RADIUS remote authentication is configured with the directed request option enabled. This vulnerability affects Cisco NX-OS devices running vulnerable software versions with specific authentication configurations.
💻 Affected Systems
- Cisco NX-OS Software
📦 What is this software?
Nx Os by Cisco
Nx Os by Cisco
Nx Os by Cisco
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service as the device crashes and reboots, disrupting all network services until recovery.
Likely Case
Service disruption during device reboot, potentially causing network outages and operational impact.
If Mitigated
No impact if directed request option is disabled or proper access controls prevent local access to login prompts.
🎯 Exploit Status
Exploitation requires local access to the device's login prompt and the directed request option to be enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco advisory for fixed releases
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-remoteauth-dos-XB6pv74m
Restart Required: Yes
Instructions:
1. Check current NX-OS version. 2. Review Cisco advisory for fixed releases. 3. Upgrade to recommended fixed release. 4. Reboot device after upgrade.
🔧 Temporary Workarounds
Disable directed request option
allDisable the directed request option for TACACS+ and RADIUS authentication
no tacacs-server directed-request
no radius-server directed-request
Restrict access to login prompts
allImplement access control lists to restrict who can access device login interfaces
ip access-list standard LOGIN-RESTRICT
permit host <trusted_ip>
deny any
line vty 0 15
access-class LOGIN-RESTRICT in
🧯 If You Can't Patch
- Disable the directed request option for TACACS+ and RADIUS authentication
- Implement strict network segmentation and access controls to prevent unauthorized access to device login prompts
🔍 How to Verify
Check if Vulnerable:
Check if directed request option is enabled: 'show running-config | include directed-request'Check Version:
show version | include SoftwareVerify Fix Applied:
Verify upgrade to fixed version: 'show version' and confirm directed request option is disabled📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads
- Authentication failures with crafted input
- System crash logs
Network Indicators:
- Sudden loss of connectivity to device
- Device rebooting unexpectedly
SIEM Query:
source="nxos" AND (event_type="crash" OR event_type="reload" OR message="Authentication failed" AND input_length>100)