Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

         Action Recommended to Secure the Cisco Nexus PowerOn Auto
                           Provisioning Feature
                               7 March 2019


        AusCERT Security Bulletin Summary

Product:           Cisco Nexus
                   Cisco MDS
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Mitigation

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature

Priority:        Informational

Advisory ID:     cisco-sa-20190306-info-poap

First Published: 2019 March 6 16:00 GMT

Version 1.0:     Final

Workarounds:     No workarounds available


  o Cisco Nexus devices support an automatic provisioning or zero-touch
    deployment feature called PowerOn Auto Provisioning (POAP). This feature
    assists in automating the initial deployment and configuration of Nexus
    switches. POAP is enabled by default and activates on devices that have no
    startup configuration or when Perpetual POAP has been configured using the
    boot poap enable command.

    As with other automatic provisioning technologies, such as Cisco Zero-Touch
    Provisioning or Cisco Smart Install, some basic assumptions are made about
    the initial deployment environment. First, that administrators know that
    the feature exists and is enabled by default. Second, that the Layer 2 (L2)
    network on which a device initially connects is secure.

    By design, the POAP feature leverages several unauthenticated protocols to
    obtain the initial configuration file for a device. When a device with POAP
    boots and subsequently fails to locate a startup configuration, such as on
    the first startup after unboxing or after a restoration of factory
    defaults, the device enters POAP mode. The device will attempt to locate a
    DHCP server through a connected management interface ^ 1 . Then the switch
    will listen for a DHCP response that includes at a minimum the following:
       An IP address
       A default gateway
       Option 66 (TFTP server name) or Option 150 (TFTP server address)
       Option 67 (boot file name)

    If the Nexus device receives multiple DHCP responses that meet these
    requirements, the first DHCP response received will be accepted, and POAP
    will move to the next stage of the device configuration. If no DHCP
    responses that meet these requirements are received prior to the timeout
    period, the device will exit POAP mode.

    If a DHCP response is accepted, the Nexus device will attempt to connect to
    the provided TFTP server to retrieve the Python or Tool Command Language
    (Tcl) POAP configuration script specified within the boot file option. The
    switch will then execute the script to retrieve the specified software and
    device configuration. The Nexus device software and configuration may be
    retrieved using Secure Copy Protocol (SCP), FTP, or SFTP. The downloaded
    Nexus software will be assigned as the active image, with the configuration
    file scheduled to be applied when the device restarts.

    Several steps in the POAP configuration process rely on a secure network
    segment to obtain critical startup information. While the POAP feature
    disables itself after a configuration is applied to a device ^ 2 , it is
    critical that customers properly secure the networks in which POAP may be
    utilized. Some customers may want to disable the POAP feature and use other
    methods to configure a Nexus device out of the box. To this end, Cisco has
    added multiple new commands to disable POAP that will persist across a
    reset to factory defaults and the removal of a configuration. For
    guidelines on securing a POAP environment, as well as information about
    disabling the feature, see the Details and Recommendations sections.

    This advisory is available at the following link:

    ^ 1 On some Nexus chassis-based devices, the DHCP solicitation may also be
    sent using all front-panel Ethernet interfaces of the installed router

    ^ 2 The POAP feature will not be disabled if Perpetual POAP has been
    configured using the boot poap enable command and will run on each reload
    of the device.

Affected Products

  o Vulnerable Products

    The following Cisco NX-OS platforms support the POAP feature:

       MDS 9000 Series Multilayer Switches
       Nexus 2000 Series Fabric Extenders
       Nexus 3000 Series Switches
       Nexus 3500 Platform Switches
       Nexus 3600 Platform Switches
       Nexus 5500 Platform Switches
       Nexus 5600 Platform Switches
       Nexus 6000 Series Switches
       Nexus 7000 Series Switches
       Nexus 7700 Series Switches
       Nexus 9000 Series Switches in standalone NX-OS mode
       Nexus 9500 R-Series Line Cards and Fabric Modules

    Products Confirmed Not Vulnerable

    The following Cisco NX-OS platforms do not support the POAP feature:

       Nexus 1000V Switch for Microsoft Hyper-V
       Nexus 1000V Switch for VMware vSphere
       Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
        (ACI) mode


  o Why NX-OS Devices Running POAP Should Be Secured

    POAP accepts a configuration script from the first DHCP server to respond,
    and there is no mechanism to establish trust with the DHCP server. An
    attacker who is able to send a DHCP response could provide a malicious
    configuration to a device, which could allow the attacker to run commands
    at the administrator privilege level.

    The initial POAP implementation did not include an option to disable the
    feature, even for customers who did not require POAP. Also, when the CLI
    command write erase was issued to reset a unit to factory defaults, a
    customer might not have realized that POAP would run again.

    POAP is enabled when there is no configuration on the system, and it runs
    as a part of bootup. However, customers can bypass POAP enablement during
    initial setup. Cisco recommends that customers who do not want to use the
    POAP feature disable POAP permanently on an NX-OS device.

    Disabling the POAP Feature Permanently

    The following CLI command options have been added to further secure and
    provide the current status of the POAP feature:

        switch# system no poap

        switch# show system poap
        System-wide POAP is disabled  using exec command 'system no poap'
        POAP will be bypassed on write-erase reload.

    To disable POAP permanently, even when there is no configuration on the
    system, customers can use the CLI command system no poap . This command
    ensures that POAP is not started during the next boot, even if there is no
    configuration. The commands system [no] poap and show system poap were
    first added in the following NX-OS Software releases:

    Cisco NX-OS Software Platform           First Release with New POAP
    MDS 9000 Series Multilayer Switches     6.2(27) ^1
    Nexus 2000 Series Switches
    Nexus 5500 Platform Switches            7.3(5)N1(1)
    Nexus 5600 Platform Switches
    Nexus 6000 Series Switches
    Nexus 3000 Series Switches              9.2(2), 7.0(3)I7(6)
    Nexus 3500 Platform Switches            9.2(2), 7.0(3)I7(6), 7.0(3)I4(9),
    Nexus 3600 Platform Switches
    Nexus 9500 R-Series Line Cards and      9.2(2), 7.0(3)F3(5)
    Fabric Modules
    Nexus 7000 Series Switches              8.3(2), 7.3(3)D1(1), 6.2(22)
    Nexus 7700 Series Switches
    Nexus 9000 Series Switches in           9.2(2), 7.0(3)I7(6), 7.0(3)I4(9)
    standalone NX-OS mode

    ^ 1 The MDS Software Release 6.2(27) is targeted for late March 2019.

    For additional information on utilizing the POAP feature and for the CLI
    commands to enable POAP, customers can refer to the Using PowerOn Auto
    Provisioning chapter of the Cisco NX-OS Fundamentals Configuration Guide .


  o The POAP feature uses DHCP to locate a DHCP server and apply the given
    interface IP address, gateway, and DNS server IP addresses. It is important
    to ensure that POAP receives a configuration from only a trusted DHCP

    Enabling DHCP snooping can allow POAP to be used in a more secure manner.
    DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP
    servers by performing the following activities:

       Validating DHCP messages received from untrusted sources and filtering
        out invalid messages
       Building and maintaining a DHCP snooping binding database, which
        contains information about untrusted hosts with leased IP addresses
       Using the DHCP snooping binding database to validate subsequent
        requests from untrusted hosts

    In addition, network firewall rules can be configured to block unintended
    or malicious DHCP servers.

    For customers who do not want to use the POAP feature, Cisco recommends
    disabling POAP permanently on an NX-OS device.


  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/

Revision History

  o +---------+--------------------------+---------+--------+----------------+
    | Version |       Description        | Section | Status |      Date      |
    | 1.0     | Initial public release.  | -       | Final  | 2019-March-06  |

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967