CVE-2017-6655 in NX-OS
Summary
by MITRE
A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol implementation in Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition when an FCoE-related process unexpectedly reloads. This vulnerability affects Cisco NX-OS Software on the following Cisco devices when they are configured for FCoE: Multilayer Director Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches. More Information: CSCvc91729. Known Affected Releases: 8.3(0)CV(0.833). Known Fixed Releases: 8.3(0)ISH(0.62) 8.3(0)CV(0.944) 8.1(1) 8.1(0.8)S0 7.3(2)D1(0.47).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/26/2020
The vulnerability described in CVE-2017-6655 represents a significant denial of service weakness within Cisco NX-OS Software's Fibre Channel over Ethernet implementation. This flaw specifically targets network infrastructure devices that support FCoE protocols, creating a pathway for adjacent attackers to disrupt critical storage network operations. The vulnerability stems from improper handling of FCoE-related processes that results in unexpected reloads, effectively rendering the affected switches unable to maintain their storage connectivity functions. The impact extends across multiple high-end Cisco switching platforms including Multilayer Director Switches, Nexus 7000 Series Switches, and Nexus 7700 Series Switches, all of which are configured to support FCoE functionality. This affects organizations relying on these switches for mission-critical storage area network operations where any disruption could cascade into broader business continuity issues.
The technical root cause of this vulnerability lies in the insufficient input validation and process management within the FCoE protocol stack of Cisco NX-OS Software. When an adjacent attacker sends malformed or specially crafted FCoE frames to the affected switches, the system fails to properly handle these packets, leading to the unexpected reloading of FCoE-related processes. This behavior creates a denial of service condition where the switch becomes temporarily unavailable for FCoE traffic, effectively breaking storage connectivity for connected servers and storage arrays. The vulnerability is classified as an unauthenticated attack vector, meaning that an attacker does not require valid credentials to exploit the flaw, and only needs physical or logical network adjacency to the target device. This adjacency requirement typically means the attacker must be on the same network segment or have access to the switch's management interface through a network path that allows direct communication.
The operational impact of CVE-2017-6655 extends far beyond simple network disruption, particularly in enterprise environments where storage area networks form the backbone of data center operations. When FCoE processes reload unexpectedly, the switch loses its ability to maintain Fibre Channel connections over Ethernet, causing storage I/O operations to fail or timeout. This disruption can affect database servers, virtualization platforms, and any application requiring high-performance storage connectivity. The cascading effects of such a DoS condition can lead to application outages, data corruption risks, and significant downtime for critical business systems. Organizations with redundant storage paths may experience partial outages rather than complete failures, but the overall impact on storage performance and reliability remains substantial. The vulnerability affects multiple software versions, including specific releases in the 8.3(0)CV and 8.3(0)ISH branches, indicating that the flaw persisted across several software releases and required targeted patches to resolve.
Cisco has addressed this vulnerability through multiple software releases including 8.3(0)ISH(0.62), 8.3(0)CV(0.944), 8.1(1), 8.1(0.8)S0, and 7.3(2)D1(0.47). These updates contain patches that strengthen the FCoE protocol handling and implement proper input validation to prevent the conditions that lead to process reloads. Organizations should prioritize upgrading to these fixed releases to eliminate the risk of exploitation. Network administrators should also consider implementing additional security controls such as access control lists to restrict FCoE traffic to trusted sources, though these measures only provide partial protection since the vulnerability is exploitable by adjacent attackers. The vulnerability aligns with CWE-20, which describes improper input validation, and relates to ATT&CK technique T1499.001 for network disruption attacks. Organizations should also review their network segmentation practices to minimize the potential attack surface for such adjacent attacks, particularly in environments where FCoE is implemented across multiple network domains.