Cisco Security Response

Cisco Nexus 1000V Series Switch Software Release 4.2(1)SV1(5.2) Virtual Security Gateway Bypass Issue

Document ID: 32103

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20121107-n1k

Revision 1.0

For Public Release 2012 November 7 16:00  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Interim
Revision History
Cisco Security Procedures

Cisco Response

The Cisco Product Security Incident Response Team (PSIRT) would like to notify customers of an issue that may impact their network security posture when upgrading the Cisco Nexus 1000V Series Switches to Software Release 4.2(1)SV1(5.2) with deployments that have Cisco Virtual Security Gateway (VSG) integration. This issue will manifest itself when administrators perform an in-service software upgrade to Software Release 4.2(1)SV1(5.2) from Software Release 4.2(1)SV1(5.1a) or earlier.

After the software upgrade, a bug in Software Release 4.2(1)SV1(5.2) could cause all the virtual Ethernet ports on the Virtual Ethernet Modules (VEM) of the Cisco Nexus 1000V Series Switch to stay in No-Policy pass-through mode because a valid VSG license is not actively installed. As a result, the VEMs no longer use a configured Cisco VSG; therefore, the virtual machines (VM) are not firewalled and traffic is not inspected by the VSG.

This software bug is documented in Cisco Bug ID CSCud01427 (registered customers only) and a software bulletin for Software Release 4.2(1)SV1(5.2) is in the process of being published.

Additional Information

Problem Symptoms

The VEM is in unlicensed mode for VSG, while the Virtual Supervisor Module (VSM) of Cisco Nexus 1000V continues to show it licensed.

Conditions

This issue affects deployments that have Cisco VSG integration with Cisco Nexus 1000V Series Switches. This issue occurs after upgrading the VSM of Cisco Nexus 1000V Series Switches to Software Release 4.2(1)SV1(5.2) from Software Release 4.2(1)SV1(5.1a) or earlier.

After an upgrade, the device can enter a state whereby it has active VEM ports but a license is not installed for the VSG, even when the device is configured with permanent VSG licenses. When this occurs, all the virtual Ethernet ports on the VEM that correspond to the VMs are kept in pass-through mode, with traffic not being analyzed by the VSG and hence any policies configured on the VSG are not enforced.

This bug is independent of VSM-to-VEM communication (whether in Layer 2 or Layer 3 mode).

Identification

If the workaround as described below is followed, then this issue will not be seen, and the licenses will be correctly installed.

After the upgrade to Software Release 4.2(1)SV1(5.2) has been performed, this issue can be verified from the command-line interface by issuing the command-line interface (CLI) command show vsn detail. In the following example, the VSN-STATE indicates No-License:
nexus1K# show vsn detail
#VSN VLAN: -, IP-ADDR: 192.168.0.1
MODULE VSN-MAC-ADDR FAIL-MODE VSN-STATE
3 - Close No-License
4 - Close No-License
Workaround

When upgrading a Cisco Nexus 1000V Series Switch to Software Release 4.2(1)SV1(5.2), the administrator should perform these additional steps:
  1. After the VSM upgrade is complete, but before the VEM upgrade is initiated, use the system switchover command to initiate a manual switchover. After the switchover, the CLI session will exit.
  2. Login to the VSM and use the show redundancy status CLI command to verify the switchover was successful.
After the VSM and VEM has been upgraded, use the show vsn detail command to validate the licenses were properly installed. The VSN-STATE should be Up. If the VSM and VEM were upgraded successfully and the licenses were properly installed, then this issue will not be observed.

Official Fix

Cisco will release Software Release 4.2(1)SV1(5.2a) and this response will be updated when a confirmed release date is available.   

Status of this Notice: Interim

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Revision 1.0 2012-November-07 Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version