Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-1587

CVE-2021-1587: Cisco NX-OS VXLAN OAM DoS Vulnerability

CVE-2021-1587 is a denial of service vulnerability in Cisco NX-OS VXLAN OAM feature that allows remote attackers to cause high CPU usage and device reloads. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2021-1587 Overview

A vulnerability in the VXLAN Operation, Administration, and Maintenance (OAM) feature of Cisco NX-OS Software, known as NGOAM, could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to improper handling of specific packets with a Transparent Interconnection of Lots of Links (TRILL) OAM EtherType. An attacker could exploit this vulnerability by sending crafted packets, including the TRILL OAM EtherType of 0x8902, to a device that is part of a VXLAN Ethernet VPN (EVPN) fabric.

A successful exploit could allow the attacker to cause an affected device to experience high CPU usage and consume excessive system resources, which may result in overall control plane instability and cause the affected device to reload. It is important to note that the NGOAM feature is disabled by default.

Critical Impact

Unauthenticated remote attackers can cause network device reloads and control plane instability in VXLAN EVPN fabric environments, potentially disrupting critical data center network infrastructure.

Affected Products

  • Cisco NX-OS Software
  • Cisco Nexus 3000 Series Switches (including 3048, 31108PC-V, 31108TC-V, 31128PQ, 3132C-Z, 3132Q-V, 3132Q-X/XL, 3164Q, 3172PQ/PQ-XL, 3172TQ-XL, 3232C, 3264C-E, 3264Q, 3408-S, 34180YC, 3432D-S, 3464C, 3524-X/XL, 3548-X/XL, 36180YC-R, 3636C-R)
  • Cisco Nexus 9000 Series Switches (including 9000V, 92160YC-X, 92300YC, 92304QC, 92348GC-X, 9236C, 9272Q, 93108TC-EX, 93108TC-FX, 93180YC-EX, 93180YC-FX, 9332C, 9336C-FX2, 9364C, 9372PX, 9372TX, 9396PX, 9396TX, 9508)

Discovery Timeline

  • August 25, 2021 - CVE-2021-1587 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-1587

Vulnerability Analysis

This vulnerability affects Cisco Nexus switches running NX-OS software when the NGOAM feature is enabled within a VXLAN EVPN fabric configuration. The root cause lies in how the NX-OS software processes network packets containing the TRILL OAM EtherType (0x8902). When an affected device receives specially crafted packets with this EtherType, the improper handling causes excessive CPU consumption and system resource exhaustion.

The vulnerability is classified under CWE-115 (Misinterpretation of Input) and CWE-436 (Interpretation Conflict), indicating that the system incorrectly interprets or conflictingly processes the TRILL OAM protocol frames within the VXLAN context. This can lead to a denial of service condition where the control plane becomes unstable, potentially causing a complete device reload.

Root Cause

The vulnerability stems from improper input validation and interpretation of packets containing the TRILL OAM EtherType (0x8902) when processed by the NGOAM feature. When the VXLAN OAM functionality encounters these malformed or unexpected packets, the parsing logic fails to properly handle them, leading to resource exhaustion. The misinterpretation of the TRILL OAM frames causes the device to enter a processing loop or allocate excessive resources attempting to handle the crafted input.

Attack Vector

An attacker can exploit this vulnerability remotely without authentication by sending crafted network packets to an affected Cisco Nexus switch that has the NGOAM feature enabled and is participating in a VXLAN EVPN fabric. The attack requires network accessibility to the target device.

The exploitation process involves:

  1. Identifying target Cisco Nexus switches running vulnerable NX-OS versions with NGOAM enabled
  2. Crafting network packets containing the TRILL OAM EtherType 0x8902
  3. Sending the malicious packets to the target device
  4. The affected device experiences high CPU usage and resource exhaustion
  5. Control plane instability occurs, potentially resulting in device reload

Since no public exploit code is available, the technical implementation details involve crafting Ethernet frames with the specific EtherType value and malformed OAM payloads designed to trigger the improper handling condition in the NGOAM processing logic.

Detection Methods for CVE-2021-1587

Indicators of Compromise

  • Unexpected network traffic containing TRILL OAM EtherType 0x8902 targeting Nexus switches
  • Cisco Nexus devices experiencing unexplained high CPU utilization spikes
  • Control plane instability or unexpected device reloads in VXLAN EVPN environments
  • Network monitoring systems detecting anomalous OAM-related traffic patterns

Detection Strategies

  • Implement network monitoring to detect packets with EtherType 0x8902 targeting VXLAN fabric infrastructure
  • Monitor Cisco Nexus device CPU utilization and set alerts for abnormal spikes exceeding baseline thresholds
  • Enable logging for NGOAM-related events and review logs for unusual activity or processing errors
  • Deploy intrusion detection systems with signatures for TRILL OAM protocol anomalies

Monitoring Recommendations

  • Configure SNMP traps or syslog alerts for high CPU conditions on affected Nexus switches
  • Monitor control plane health metrics and device reload events across the VXLAN fabric
  • Establish baseline network traffic patterns and alert on deviations in OAM-related protocols
  • Implement centralized log collection for all Nexus devices to correlate potential attack indicators

How to Mitigate CVE-2021-1587

Immediate Actions Required

  • Review Cisco NX-OS version on all Nexus 3000 and 9000 series switches in your environment
  • Determine if the NGOAM feature is enabled using the command show feature | include ngoam
  • Prioritize patching for devices with NGOAM enabled in production VXLAN EVPN fabrics
  • Consider disabling the NGOAM feature if not operationally required as an interim mitigation

Patch Information

Cisco has released software updates that address this vulnerability. Organizations should consult the Cisco Security Advisory for specific fixed software versions applicable to their hardware platforms. The advisory provides detailed guidance on determining vulnerable software versions and the corresponding fixed releases for each affected Nexus platform.

Workarounds

  • Disable the NGOAM feature if it is not required for network operations using no feature ngoam
  • Implement network access controls to restrict traffic reaching management interfaces of Nexus switches
  • Deploy network segmentation to limit exposure of VXLAN fabric infrastructure to untrusted network segments
  • Apply ingress filtering at network boundaries to drop packets with TRILL OAM EtherType from external sources
bash
# Verify NGOAM feature status on Cisco NX-OS
show feature | include ngoam

# Disable NGOAM feature if not required (interim mitigation)
configure terminal
no feature ngoam
end
copy running-config startup-config

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne