BugZero | Cisco BugID CSCvy57340 - FIPs mode enabled+ nxapi disabled: switch reload a...

Cisco - Defect ID: CSCvy57340

FIPs mode enabled+ nxapi disabled: switch reload allows access to nginx/nxapi sandbox port 80,443

Cisco - Defect ID: CSCvy57340

FIPs mode enabled+ nxapi disabled: switch reload allows access to nginx/nxapi sandbox port 80,443

Last updated on 5/9/2025

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 7.87.8

Severity: 8.28.2

Lifecycle: 9.19.1

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

1. Switch reports ports 80 and 443 are open despite feature nxapi disabled TDC1P1-Rack01-BMC-1# show sockets connection tcp | in '*(80)|*(443)' n 1 [host]: tcp LISTEN 0 *(80) <<< port should be closed Wildcard 0 *(*) -- [host]: tcp6 LISTEN 0 *(80) <<< port should be closed Wildcard 0 *(*) -- [host]: tcp LISTEN 0 *(443) <<< port should be closed Wildcard 0 *(*) -- [host]: tcp6 LISTEN 0 *(443) <<< port should be closed Wildcard 0 *(*) 2. user admin with valid password can open browser to NXAPI Sandbox despite feature disabled 3. with feature bash enabled, find that nginx process was restarted, despite feature nxapi disabled TDC1P1-Rack01-BMC-1# run bash sudo pgrep -l nginx 12616 nginx 14059 nginx_1_fe 14138 nginx_1_fe

Conditions

disabled nxapi feature nxapi fips mode enabled save configuration trigger: reload TDC1P1-Rack01-BMC-1# show feature | in nxapi nxapi 1 disabled TDC1P1-Rack01-BMC-1# show fips status FIPS Status: enabled

Workaround

In this scenario an ACL can be used on mgmt0 interface to prevent access to the 80 & 443 service. Example: ! ip access-list DENY-NXAPI 10 deny tcp any any eq 443 20 deny tcp any any eq www 30 permit ip any any ! interface mgmt0 ip access-group DENY-NXAPI in ! Note: There are normally restrictions when using an ACL with NX-API when it is configured to use a VRF. See https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/101x/programmability/cisco-nexus-9000-series-nx-os-programmability-guide-release-101x/m-n9k-nx-api-cli-101x.html section "Restricting Access to NX-API" for more details. For the purposes of this defect and workaround those limitations are not applicable.

Further Problem Description

None.

PSIRT Evaluation

The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via normal resolution channels. If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another evaluation. Additional information on Cisco's security vulnerability policy can be found at the following URL: https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCvy57340

FIPs mode enabled+ nxapi disabled: switch reload allows access to nginx/nxapi sandbox port 80,443

Cisco - Defect ID: CSCvy57340

FIPs mode enabled+ nxapi disabled: switch reload allows access to nginx/nxapi sandbox port 80,443

Last updated on 5/9/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

PSIRT Evaluation

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?