Summary

• A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signature verification.

  This vulnerability is due to insecure bootloader settings. An attacker could exploit this vulnerability by executing a series of bootloader commands. A successful exploit could allow the attacker to bypass NX-OS image signature verification and load unverified software.

  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-image-sig-bypas-pQDRQvjL

Affected Products

• Vulnerable Products

  This vulnerability affects the following Cisco products if they are running a release of Cisco NX-OS Software that includes a vulnerable BIOS version, regardless of device configuration:

  • MDS 9000 Series Multilayer Switches (CSCwh76163)
  • Nexus 3000 Series Switches (CSCwm47438)
  • Nexus 7000 Series Switches (CSCwh76166)
  • Nexus 9000 Series Fabric Switches in ACI mode (CSCwn11901)
  • Nexus 9000 Series Switches in standalone NX-OS mode (CSCwm47438)
  • UCS 6400 Series Fabric Interconnects (CSCwj35846)
  • UCS 6500 Series Fabric Interconnects (CSCwj35846)

  Note: This vulnerability is relevant only for Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that support secure boot technology.

  For information about which specific Cisco MDS, Nexus, and UCS Fabric Interconnect platforms support secure boot technology and the corresponding Cisco software releases that are vulnerable, see the Fixed Software section of this advisory.

  Determine the Cisco NX-OS BIOS Version

  To determine which Cisco NX-OS BIOS version is running, log in to the device, use the show version CLI command, and view the BIOS output line, as shown in the following example:

  switch# show version | include BIOS
    BIOS: version 01.11
    BIOS compile time:  06/30/2023
  
  

  For information about affected and fixed BIOS versions, see the Fixed Software section of this advisory.

  Products Confirmed Not Vulnerable

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Workarounds

• There are no workarounds that address this vulnerability.

Fixed Software

• Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

  Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

  The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Customers Without Service Contracts

  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

  Fixed Releases

  Resolution of this vulnerability requires a BIOS update on affected Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that are running Cisco NX-OS Software.

  To upgrade the BIOS on Cisco MDS and Nexus Standalone platforms, upgrade Cisco NX-OS Software on the affected devices with the install all CLI command or install a specific SMU as indicated in the Fixed Release table that follows. For more information, see the Cisco Nexus 9000 Series NX-OS Software Upgrade and Downgrade Guide, Release 10.4(x).

  For Cisco Nexus 9000 Series Switches in ACI mode, upgrade to a fixed software release as shown in the Fixed Release table that follows. For more information, see the Cisco APIC Installation and ACI Upgrade and Downgrade Guide.

  For Cisco UCS Fabric Interconnect platforms, upgrade to a fixed software release as shown in the Fixed Release table that follows. For more information for devices managed by UCS Manager (UCSM), see the Cisco UCS Manager Firmware Management Guide, Release 4.3. For more information for devices managed by Intersight, see the Cisco Intersight Managed Mode Configuration Guide.

  Cisco recommends verifying the BIOS version for each platform after the upgrade has been completed.

  Note: For Cisco MDS and Nexus standalone platforms, if the device was not previously upgraded by using the install all CLI command, the BIOS might not have been upgraded. Even if customers are running a fixed Cisco NX-OS Software release, they are advised to check the BIOS version and use the install all command to complete the BIOS upgrade, if applicable.

  In the following table, the left column lists Cisco MDS, Nexus, and UCS Fabric Interconnect platforms. The middle column indicates the first BIOS version that includes the fix for this vulnerability. The right column indicates the corresponding first Cisco NX-OS Software release or SMU or Cisco UCS Software release that incorporates the fixed BIOS version. 

  Cisco MDS 9000 Series Multilayer Switches	First Fixed BIOS Version	First Fixed Cisco NX-OS Software Release
  MDS 9124V 64-Gbps 24-Port Fibre Channel Switch (DS-C9124V-K9)	1.07	9.4(2)
  MDS 9132T Fibre Channel Switch (DS-C9132T-K9)	1.46	9.4(2)
  MDS 9148T switch (DS-C9148T-K9)	1.07	9.4(2)
  MDS 9148V 64-Gbps 48-Port Fibre Channel Switch (DS-C9148V-K9)	1.07	9.4(2)
  MDS 9220i Multiservice Fabric Switch (DS-C9220I-K9)	1.13	9.4(2)
  MDS 9396T 32-Gbps 96-Port Fibre Channel Switch (DS-C9396T-K9)	1.07	9.4(2)
  MDS 9396V 64-Gbps 96-Port Fibre Channel Switch (DS-C9396V-K9)	1.09	9.4(2)
  MDS 9700 Supervisor-4 Module (DS-X97-SF4-K9)	2.17.0 or 4.9.0	9.4(2)
  Cisco Nexus 3000 Series Switches	First Fixed BIOS Version	First Fixed Cisco NX-OS Software Release
  Nexus 31108PC-V Switch (N3K-C31108PC-V)	4.22	9.3(14) SMU (Dec 2024)
  Nexus 31108TC-V Switch (N3K-C31108TC-V)	4.22	9.3(14) SMU (Dec 2024)
  Nexus 31128PQ Switch (N3K-C31128PQ)	7.70	9.3(14) SMU (Dec 2024)
  Nexus 3132C-Z Switch (N3K-C3132C-Z)	5.51	9.3(13)
  Nexus 3232C Switch (N3K-C3232C)	8.40	9.3(14) SMU (Dec 2024)
  Nexus 3264C-E  Switch (N3K-C3264C-E )	5.51	9.3(13)
  Nexus 3264Q Switch (N3K-C3264Q)	8.40	9.3(14) SMU (Dec 2024)
  Nexus 3408-S Switch (N3K-C3408-S)	5.44	9.3(13)
  Nexus 34200YC-SM Switch (N3K-C34200YC-SM)	5.51	9.3(13)
  Nexus 3432D-S Switch (N3K-C3432D-S)	5.51	9.3(13)
  Nexus 36180YC-R Switch (N3K-C36180YC-R)	1.24	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 3636C-R Switch (N3K-C3636C-R)	1.24	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Cisco Nexus 7000 Series Switches	First Fixed BIOS Version	First Fixed Cisco NX-OS Software Release
  Nexus 7700 Supervisor 3E (N77-SUP3E)	1.56.0  or 3.10.0	8.4(10)
  Cisco Nexus 9000 Series Switches in ACI mode	First Fixed BIOS Version	First Fixed Cisco NX-OS Software Release
  Nexus 93108TC-EX ACI-Mode Switch (N9K-C93108TC-EX)	7.71	16.0(8f) 16.1(2f)
  Nexus 93108TC-EX-24 ACI-Mode Switch (N9K-C93108TC-EX-24)	7.71	16.0(8f) 16.1(2f)
  Nexus 93108TC-FX ACI-Mode Switch (N9K-C93108TC-FX)	5.51	16.0(4c)
  Nexus 93108TC-FX-24 ACI-Mode Switch (N9K-C93108TC-FX-24)	5.51	16.0(4c)
  Nexus 93108TC-FX3 ACI-Mode Switch (N9K-C93108TC-FX3)	1.05	16.0(8f) 16.1(2f)
  Nexus 93108TC-FX3H ACI-Mode Switch (N9K-C93108TC-FX3H)	5.51	16.0(4c)
  Nexus 93108TC-FX3P ACI-Mode Switch (N9K-C93108TC-FX3P)	5.51	16.0(4c)
  Nexus 93120TX ACI-Mode Switch (N9K-C93120TX)	7.70	15.3(2e)
  Nexus 9316D-GX ACI-Mode Switch (N9K-C9316D-GX)	5.51	16.0(4c)
  Nexus 93180LC-EX ACI-Mode Switch (N9K-C93180LC-EX)	5.51	16.0(4c)
  Nexus 93180YC-EX ACI-Mode Switch (N9K-C93180YC-EX)	7.71	16.0(8f) 16.1(2f)
  Nexus 93180YC-EX-24 ACI-Mode Switch (N9K-C93180YC-EX-24)	7.71	16.0(8f) 16.1(2f)
  Nexus 93180YC-FX ACI-Mode Switch (N9K-C93180YC-FX)	5.51	16.0(4c)
  Nexus 93180YC-FX-24 ACI-Mode Switch (N9K-C93180YC-FX-24)	5.51	16.0(4c)
  Nexus 93180YC-FX3 ACI-Mode Switch (N9K-C93180YC-FX3)	1.09	16.0(4c)
  Nexus 93180YC-FX3H ACI-Mode Switch (N9K-C93180YC-FX3H)	1.09	16.0(4c)
  Nexus 93216TC-FX2 ACI-Mode Switch (N9K-C93216TC-FX2)	5.51	16.0(4c)
  Nexus 93240YC-FX2 ACI-Mode Switch (N9K-C93240YC-FX2)	5.51	16.0(4c)
  Nexus 9332C ACI-Mode Switch (N9K-C9332C)	5.51	16.0(4c)
  Nexus 9332D-GX2B ACI-Mode Switch (N9K-C9332D-GX2B)	1.13	16.0(8f) 16.1(2f)
  Nexus 93360YC-FX2 ACI-Mode Switch (N9K-C93360YC-FX2)	5.51	16.0(4c)
  Nexus 9336C-FX2 ACI-Mode Switch (N9K-C9336C-FX2)	5.51	16.0(4c)
  Nexus 9336C-FX2-E ACI-Mode Switch (N9K-C9336C-FX2-E)	1.07	16.0(4c)
  Nexus 9348D-GX2A ACI-Mode Switch (N9K-C9348D-GX2A)	1.09	16.0(8f) 16.1(2f)
  Nexus 9348GC-FX3 ACI-Mode Switch (N9K-C9348GC-FX3)	1.06	16.0(5h)
  Nexus 9348GC-FXP ACI-Mode Switch (N9K-C9348GC-FXP)	5.51	16.0(4c)
  Nexus 9358GY-FXP ACI-Mode Switch (N9K-C9358GY-FXP)	5.51	16.0(4c)
  Nexus 93600CD-GX ACI-Mode Switch (N9K-C93600CD-GX)	5.51	16.0(4c)
  Nexus 9364C ACI-Mode Switch (N9K-C9364C)	5.51	16.0(4c)
  Nexus 9364C-GX ACI-Mode Switch (N9K-C9364C-GX)	5.51	16.0(4c)
  Nexus 9364D-GX2A ACI-Mode Switch (N9K-C9364D-GX2A)	1.16	16.0(8f) 16.1(2f)
  Nexus 9500 Supervisor A (N9K-SUP-A) ACI-Mode	8.40	16.0(8f)
  Nexus 9500 Supervisor A+ (N9K-SUP-A+) ACI-Mode	5.51	16.0(4c)
  Nexus 9500 Supervisor B (N9K-SUP-B) ACI-Mode	8.40	16.0(8f)
  Nexus 9500 Supervisor B+ (N9K-SUP-B+) ACI-Mode	5.51	16.0(4c)
  Cisco Nexus 9000 Series Switches in Standalone NX-OS mode	First Fixed BIOS Version	First Fixed Cisco NX-OS Software Release
  Nexus 92160YC-X Switch (N9K-C92160YC-X)	None planned	None planned1
  Nexus 92300YC Switch (N9K-C92300YC)	5.51	9.3(13)
  Nexus 9232C Switch (N9K-C9232C)	7.71	9.3(14) SMU (Dec 2024) 10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024) 10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 92348GC-X Switch (N9K-C92348GC-X)	5.46	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9236C Switch (N9K-C9236C)	7.71	9.3(14) SMU (Dec 2024)
  Nexus 9272Q Switch (N9K-C9272Q)	7.71	9.3(14) SMU (Dec 2024)
  Nexus 93108TC-EX Switch (N9K-C93108TC-EX)	7.71	9.3(14) SMU (Dec 2024) 10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024)
  Nexus 93108TC-EX-24 Switch (N9K-C93108TC-EX-24)	7.71	9.3(14) SMU (Dec 2024) 10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024)
  Nexus 93108TC-FX Switch (N9K-C93108TC-FX)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93108TC-FX-24 Switch (N9K-C93108TC-FX-24)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93108TC-FX3 Switch (N9K-C93108TC-FX3)	1.05	10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 93108TC-FX3H Switch (N9K-C93108TC-FX3H)	5.51	10.3(5) 10.4(2)
  Nexus 93108TC-FX3P Switch (N9K-C93108TC-FX3P)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93120TX Switch (N9K-C93120TX)	7.70	9.3(14) SMU (Dec 2024)
  Nexus 9316D-GX Switch (N9K-C9316D-GX)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93180LC-EX Switch (N9K-C93180LC-EX)	5.51	9.3(13)
  Nexus 93180YC-EX Switch (N9K-C93180YC-EX)	7.71	9.3(14) SMU (Dec 2024) 10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024)
  Nexus 93180YC-EX-24 Switch (N9K-C93180YC-EX-24)	7.71	9.3(14) SMU (Dec 2024) 10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024)
  Nexus 93180YC-FX Switch (N9K-C93180YC-FX)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93180YC-FX-24 Switch (N9K-C93180YC-FX-24)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93180YC-FX3 Switch (N9K-C93180YC-FX3)	1.09	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93180YC-FX3H Switch (N9K-C93180YC-FX3H)	1.09	10.3(5) 10.4(2)
  Nexus 93180YC-FX3S Switch (N9K-C93180YC-FX3S)	1.09	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93216TC-FX2 Switch (N9K-C93216TC-FX2)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93240YC-FX2 Switch (N9K-C93240YC-FX2)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93240YC-FX2-Z Switch (N9K-C93240YC-FX2-Z)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9332C Switch (N9K-C9332C)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9332D-GX2B Switch (N9K-C9332D-GX2B)	1.13	10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024) 10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 9332D-H2R Switch (N9K-C9332D-H2R)	1.07	10.4(4) SMU (Dec 2024) 10.5(1)
  Nexus 93360YC-FX2 Switch (N9K-C93360YC-FX2)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9336C-FX2 Switch (N9K-C9336C-FX2)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9336C-FX2-E Switch (N9K-C9336C-FX2-E)	1.07	10.2(7) 10.3(5) 10.4(2)
  Nexus 93400LD-H1 Switch (N9K-C93400LD-H1)	2.10	10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 9348D-GX2A Switch (N9K-C9348D-GX2A)	1.09	10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024) 10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 9348GC-FX3 Switch (N9K-C9348GC-FX3)	1.06	10.4(2)
  Nexus 9348GC-FX3PH Switch (N9K-C9348GC-FX3PH)	1.06	10.4(2)
  Nexus 9348GC-FXP Switch (N9K-C9348GC-FXP)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9358GY-FXP Switch (N9K-C9358GY-FXP)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 93600CD-GX Switch (N9K-C93600CD-GX)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9364C Switch (N9K-C9364C)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9364C-GX Switch (N9K-C9364C-GX)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9364C-H1 Switch (N9K-C9364C-H1)	1.03	10.4(3)
  Nexus 9364D-GX2A Switch (N9K-C9364D-GX2A)	1.16	10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024) 10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 9408 Switch (N9K-C9408)	1.11	10.3(6) SMU (Dec 2024) 10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 9500 Supervisor A (N9K-SUP-A)	8.40	9.3(14) SMU (Dec 2024) 10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024) 10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 9500 Supervisor A+ (N9K-SUP-A+)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9500 Supervisor B (N9K-SUP-B)	8.40	9.3(14) SMU (Dec 2024) 10.2(8) SMU (Dec 2024) 10.3(6) SMU (Dec 2024) 10.4(4) SMU (Dec 2024) 10.5(2)
  Nexus 9500 Supervisor B+ (N9K-SUP-B+)	5.51	9.3(13) 10.2(7) 10.3(5) 10.4(2)
  Nexus 9800 Supervisor (N9K-C9800-SUP-A)	1.12	10.3(5) 10.4(3)
  Cisco UCS Fabric Interconnects	First Fixed BIOS Version	First Fixed Cisco UCS Software Release
  UCS 64108 Fabric Interconnect (UCS-FI-64108)	5.50	4.1(3n) 4.2(3n) (Jan 2025) 4.3(4a) (UCSM Managed mode) 4.3(4.240066) (Intersight Managed Mode)
  UCS 6454 Fabric Interconnect (UCS-FI-6454)	5.50	4.1(3n) 4.2(3n) (Jan 2025) 4.3(4a) (UCSM Managed mode) 4.3(4.240066) (Intersight Managed Mode)
  UCS 6536 Fabric Interconnect (UCS-FI-6536)	1.6	4.3(4a) (UCSM Managed mode) 4.3(4.240066) (Intersight Managed Mode)

  1. Cisco has not released and will not release software updates for Cisco Nexus 92160YC-X Switches because this product has reached the End of Vulnerability/Security Support. Customers are advised to refer to End-of-Sale and End-of-Life Announcement for the Cisco Nexus N9K-C92160YC-X.

  Note: Because this vulnerability is relevant only for Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that support secure boot, legacy Cisco MDS, Nexus, and UCS Fabric Interconnect platforms that do not support secure boot are not listed in the table above.

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Source

• Cisco would like to thank Ferdinand Nölscher of Google Cloud Product Security Engineering for reporting this vulnerability.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-image-sig-bypas-pQDRQvjL

Revision History

• Version	Description	Section	Status	Date
  1.2	Updated fix release information for multiple Nexus 9000 Series Switches in ACI mode.	Fixed Releases	Final	2024-DEC-11
  1.1	Added a note to Vulnerable Products to clarify that affected and fixed BIOS versions are listed in Fixed Software. Updated fix release information for multiple products.	Vulnerable Products and Fixed Releases	Final	2024-DEC-06
  1.0	Initial public release.	—	Final	2024-DEC-04

  Show Less

---