Owning the data centre – Cisco NX-OS VDC takeover vulnerability

10 min readFeb 9, 2018

During testing of the Cisco Nexus 7000 series switch I identified a high impact (CVSS8.8) vulnerability within the OS which also formed the basis of my talk at Bsides Manchester.

Note that the views are my own and don’t represent my employer.


I identified a vulnerability in the Cisco NX-OS data centre switch range that as executed is a CVSS 8.8 against the Cisco NX-OS data centre switches.

I have worked with Cisco between Feb and Oct 2017 to get the vulnerabilities resolved and followed a coordinated disclosure approach. However Cisco have decided that the vulnerabilities identified are not as severe, a point on which we disagree. This post outlines the details of the exploit now that is had a published fix and how the chained set of vulnerabilities identified has an impact.

The nature of the vulnerabilities discovered in February 2017 were so fundamental to the way the software operates that the fix required a major code re-write. It took the vendor 222 days from the vulnerability being reported to it being fixed and updated, with software being published on the version 8 code branch. A recommended mitigation was shared:

Administrators should ensure that all methods that could potentially allow access to the underlying CLI such as the Python scripting parser are restricted to trusted users only.

Bursting the VDC bubbles in the Cisco NX-OS

Timeline of disclosure

20 Feb 17 — Reported to Cisco PSIRT and provided a video demonstrating the vulnerability. I was initially told that the vulnerability that I had disclosed was already known and therefore a duplicate. Upon challenging the response and describing that it was possible to take over other VDC functionality it was then passed on for further investigation.

28 Feb 17 — CISCO PSIRT acknowledged the the vulnerability as demonstrated scores 8.8 against CVSS v3

Hi Greg,




Security addict, 17+ years in industry making systems more secure and finding those that aren’t