CVE-2017-3804 in NX-OS
Summary
by MITRE
A vulnerability in Intermediate System-to-Intermediate System (IS-IS) protocol packet processing of Cisco Nexus 5000, 6000, and 7000 Series Switches software could allow an unauthenticated, adjacent attacker to cause a reload of the affected device. Switches in the FabricPath domain crash because of an __inst_001__isis_fabricpath hap reset when processing a crafted link-state packet. More Information: CSCvc45002. Known Affected Releases: 7.1(3)N1(2.1) 7.1(3)N1(3.12) 7.3(2)N1(0.296) 8.0(1)S2. Known Fixed Releases: 6.2(18)S11 7.0(3)I5(1.170) 7.0(3)I5(2) 7.1(4)N1(0.4) 7.1(4)N1(1b) 7.1(5)N1(0.986) 7.1(5)N1(1) 7.2(3)D1(0.8) 7.3(2)N1(0.304) 7.3(2)N1(1) 8.0(0.96)S0 8.0(1) 8.0(1)E1 8.0(1)S4 8.3(0)CV(0.788).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/14/2026
The vulnerability described in CVE-2017-3804 represents a critical flaw in the Intermediate System-to-Intermediate System protocol implementation within Cisco Nexus series switches operating in FabricPath domains. This security weakness specifically affects network infrastructure devices that handle IS-IS routing protocols for inter-switch communication and network topology maintenance. The vulnerability stems from inadequate input validation during the processing of link-state packets, which are fundamental components of the IS-IS protocol used to disseminate network topology information throughout the switching fabric.
The technical exploitation of this vulnerability occurs when an unauthenticated attacker positioned within the same network segment crafts a malicious link-state packet designed to trigger a specific memory handling error within the switch's software implementation. The affected systems experience what is termed an "inst_001__isis_fabricpath hap reset" condition, which represents a hardware abstraction layer reset event that fundamentally disrupts the normal operation of the switch's IS-IS protocol handler. This particular error condition manifests as a system crash and subsequent reload of the affected device, effectively causing a denial of service condition that impacts network connectivity and availability.
The operational impact of this vulnerability extends beyond simple service disruption, as it creates a significant security risk for network infrastructure. Network administrators face the potential for unauthorized parties to remotely cause outages across their switching infrastructure, particularly within FabricPath domains where multiple Nexus switches maintain interconnected routing information. The vulnerability affects multiple series of Cisco Nexus switches including 5000, 6000, and 7000 models, representing a broad attack surface that could impact enterprise and data center networks. The specific reset condition mentioned in the vulnerability description indicates that the flaw occurs at the hardware abstraction layer level, suggesting that the issue originates from how the software interacts with the underlying hardware components during IS-IS packet processing.
This vulnerability aligns with CWE-121, which describes heap-based buffer overflow conditions, and represents a classic example of improper input validation that leads to system instability. From an adversarial perspective, the vulnerability maps to ATT&CK technique T1499.002 which covers network disruption through service availability attacks. The fact that the vulnerability requires only adjacent network access makes it particularly concerning as it can be exploited from within the local network segment without requiring complex network penetration techniques. Organizations implementing Cisco Nexus switches in their network infrastructure must consider this vulnerability as a critical threat that could be leveraged by malicious actors to create network disruptions.
Mitigation strategies for this vulnerability include applying the vendor-provided software updates and patches that address the specific IS-IS packet processing flaw. Network administrators should prioritize patching affected systems, particularly those running the known vulnerable software versions listed in the advisory. Additionally, implementing network segmentation and access controls to limit adjacent network access can provide defense-in-depth protection. Monitoring for unusual network traffic patterns or device reboots that might indicate exploitation attempts can serve as an early warning system. The vulnerability's classification as a denial of service issue means that organizations should also implement redundant network paths and failover mechanisms to maintain service availability during potential exploitation events. Regular security assessments of network infrastructure should include verification of patch compliance for this and similar vulnerabilities to maintain overall network security posture.