Symptom
The combination of the hardware platform and offered software features renders the product Cisco Nexus 3000 Series Switches;Cisco Nexus 9000 Series Switches - Standalone, NX-OS mode affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2018-3639 - Speculative Store Bypass (SSB) AKA Spectre Variant 4 "SpectreNG"
CVE-2017-3640 - Rogue System Register Read - AKA Spectre Variant 3a
Conditions
By default, an environment for non-admin level users does not exist where third party software can be run to exploit this vulnerability.
In order to exploit these vulnerabilities, any one of the the following features/roles have to be enabled for non-admin users.
feature bash-shell
guest shell enabled
user role dev-ops
username shelltype bash
feature openflow (starting with 7.0(3)I5) or virtual-service install name in earlier releases
Workaround
In the event that the Nexus switch owner does not need to execute additional third-party software on their switches, they may further restrict access to the various shell environments through the configuration. This will remove shell access for all users, including admin and dev-ops users.
>> Disable access to the host shell by configuring "no feature bash"
>> Remove the guest shell by executing "guestshell destroy"
>> Change any configuration setting user's shell from bash to vsh: "username shelltype vsh"
>> Remove any users with dev-ops role
>> Disable openflow feature
If any shell access mentioned in the 'Conditions' section is required, make sure the user does not run code/binary software from untrusted 3rd parties.
Further Problem Description
Please note that admin level users always have access to run third party code and enable features/roles. The assumption is that admin level roles are given to trusted individuals within the organization.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 4.3:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
