Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation IssuesFor certain products that are running Cisco NX-OS Software and are configured for SSH authentication with an X.509 version 3 (X.509v3) certificate, two remote authorization methods are unsupported and could allow for privilege escalation: TACACS+ and certain configurations of Lightweight Directory Access Protocol (LDAP).
- TACACS+ does not properly validate the distinguished name (DN) of the X.509v3 certificate due to a logic error with authentication, authorization, and accounting (AAA).
- LDAP does not properly validate the DN of the X.509v3 certificate if the enable cert-dn-match configuration command is not present. The enable cert-dn-match configuration command is required for username validation of the DN of the X.509v3 certificate.
Both unsupported configurations could allow a user who is authenticating to the device to elevate their privilege level to Administrator because the DN programmed username on the X.509v3 certificate was not validated and therefore did not have to match the username being authenticated.
Cisco has released software updates that address the TACACS+ and LDAP authorization issues, along with updates to the documentation for Cisco NX-OS Software. See Details for information about configuration changes that can address these security issues.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-x509v3-unsupportedconfig-ScRtAbUk
Security Impact Rating: Informational
Source: Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation Issues (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-x509v3-unsupportedconfig-ScRtAbUk?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20NX-OS%20Software%20SSH%20X.509v3%20Certificate%20Authentication%20with%20Unsupported%20Remote%20Authorization%20Method%20Privilege%20Escalation%20Issues&vs_k=1)