Earlier today, Cisco released a critical security advisory affecting its Nexus 7000 and Nexus 7700 Series Switches, CVE-2016-1453. A vulnerability in the Overlay Transport Virtualization (OTV) generic routing encapsulation (GRE) implementation of the Cisco Nexus 7000 and 7700 Series Switches could allow an attacker to cause a reload of the affected system or to remotely execute code.

The vulnerability is due to incomplete input validation performed on the size of OTV packet header parameters, which can result in a buffer overflow. An attacker could exploit this vulnerability by sending a crafted OTV UDP packet to the OTV interface on an affected device which would allow them to execute arbitrary code and obtain full control of the system.

This vulnerability only applies if you’re on a vulnerable version of software and have OTV enabled.

To see if you have OTV enabled, run this command:

show running-config | include otv

If it returns a result like this, then you have OTV enabled:

feature otv
otv join-interface ...

Next, check your software version with this command:

show version

Cisco has released software updates that address this vulnerability. A workaround to mitigate this vulnerability is available.

For more details, visit the Cisco Security Advisory: CVE-2016-1453