Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0714 Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature 7 March 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Nexus Cisco MDS Publisher: Cisco Systems Operating System: Cisco Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Mitigation Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-info-poap - --------------------------BEGIN INCLUDED TEXT-------------------- Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature Priority: Informational Advisory ID: cisco-sa-20190306-info-poap First Published: 2019 March 6 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Summary o Cisco Nexus devices support an automatic provisioning or zero-touch deployment feature called PowerOn Auto Provisioning (POAP). This feature assists in automating the initial deployment and configuration of Nexus switches. POAP is enabled by default and activates on devices that have no startup configuration or when Perpetual POAP has been configured using the boot poap enable command. As with other automatic provisioning technologies, such as Cisco Zero-Touch Provisioning or Cisco Smart Install, some basic assumptions are made about the initial deployment environment. First, that administrators know that the feature exists and is enabled by default. Second, that the Layer 2 (L2) network on which a device initially connects is secure. By design, the POAP feature leverages several unauthenticated protocols to obtain the initial configuration file for a device. When a device with POAP boots and subsequently fails to locate a startup configuration, such as on the first startup after unboxing or after a restoration of factory defaults, the device enters POAP mode. The device will attempt to locate a DHCP server through a connected management interface ^ 1 . Then the switch will listen for a DHCP response that includes at a minimum the following: An IP address A default gateway Option 66 (TFTP server name) or Option 150 (TFTP server address) Option 67 (boot file name) If the Nexus device receives multiple DHCP responses that meet these requirements, the first DHCP response received will be accepted, and POAP will move to the next stage of the device configuration. If no DHCP responses that meet these requirements are received prior to the timeout period, the device will exit POAP mode. If a DHCP response is accepted, the Nexus device will attempt to connect to the provided TFTP server to retrieve the Python or Tool Command Language (Tcl) POAP configuration script specified within the boot file option. The switch will then execute the script to retrieve the specified software and device configuration. The Nexus device software and configuration may be retrieved using Secure Copy Protocol (SCP), FTP, or SFTP. The downloaded Nexus software will be assigned as the active image, with the configuration file scheduled to be applied when the device restarts. Several steps in the POAP configuration process rely on a secure network segment to obtain critical startup information. While the POAP feature disables itself after a configuration is applied to a device ^ 2 , it is critical that customers properly secure the networks in which POAP may be utilized. Some customers may want to disable the POAP feature and use other methods to configure a Nexus device out of the box. To this end, Cisco has added multiple new commands to disable POAP that will persist across a reset to factory defaults and the removal of a configuration. For guidelines on securing a POAP environment, as well as information about disabling the feature, see the Details and Recommendations sections. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190306-info-poap ^ 1 On some Nexus chassis-based devices, the DHCP solicitation may also be sent using all front-panel Ethernet interfaces of the installed router processor. ^ 2 The POAP feature will not be disabled if Perpetual POAP has been configured using the boot poap enable command and will run on each reload of the device. Affected Products o Vulnerable Products The following Cisco NX-OS platforms support the POAP feature: MDS 9000 Series Multilayer Switches Nexus 2000 Series Fabric Extenders Nexus 3000 Series Switches Nexus 3500 Platform Switches Nexus 3600 Platform Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 7700 Series Switches Nexus 9000 Series Switches in standalone NX-OS mode Nexus 9500 R-Series Line Cards and Fabric Modules Products Confirmed Not Vulnerable The following Cisco NX-OS platforms do not support the POAP feature: Nexus 1000V Switch for Microsoft Hyper-V Nexus 1000V Switch for VMware vSphere Nexus 9000 Series Fabric Switches in Application Centric Infrastructure (ACI) mode Details o Why NX-OS Devices Running POAP Should Be Secured POAP accepts a configuration script from the first DHCP server to respond, and there is no mechanism to establish trust with the DHCP server. An attacker who is able to send a DHCP response could provide a malicious configuration to a device, which could allow the attacker to run commands at the administrator privilege level. The initial POAP implementation did not include an option to disable the feature, even for customers who did not require POAP. Also, when the CLI command write erase was issued to reset a unit to factory defaults, a customer might not have realized that POAP would run again. POAP is enabled when there is no configuration on the system, and it runs as a part of bootup. However, customers can bypass POAP enablement during initial setup. Cisco recommends that customers who do not want to use the POAP feature disable POAP permanently on an NX-OS device. Disabling the POAP Feature Permanently The following CLI command options have been added to further secure and provide the current status of the POAP feature: switch# system no poap switch# show system poap System-wide POAP is disabled using exec command 'system no poap' POAP will be bypassed on write-erase reload. To disable POAP permanently, even when there is no configuration on the system, customers can use the CLI command system no poap . This command ensures that POAP is not started during the next boot, even if there is no configuration. The commands system [no] poap and show system poap were first added in the following NX-OS Software releases: Cisco NX-OS Software Platform First Release with New POAP Commands MDS 9000 Series Multilayer Switches 6.2(27) ^1 Nexus 2000 Series Switches Nexus 5500 Platform Switches 7.3(5)N1(1) Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 3000 Series Switches 9.2(2), 7.0(3)I7(6) Nexus 3500 Platform Switches 9.2(2), 7.0(3)I7(6), 7.0(3)I4(9), 6.0(2)A8(11) Nexus 3600 Platform Switches Nexus 9500 R-Series Line Cards and 9.2(2), 7.0(3)F3(5) Fabric Modules Nexus 7000 Series Switches 8.3(2), 7.3(3)D1(1), 6.2(22) Nexus 7700 Series Switches Nexus 9000 Series Switches in 9.2(2), 7.0(3)I7(6), 7.0(3)I4(9) standalone NX-OS mode ^ 1 The MDS Software Release 6.2(27) is targeted for late March 2019. For additional information on utilizing the POAP feature and for the CLI commands to enable POAP, customers can refer to the Using PowerOn Auto Provisioning chapter of the Cisco NX-OS Fundamentals Configuration Guide . Recommendations o The POAP feature uses DHCP to locate a DHCP server and apply the given interface IP address, gateway, and DNS server IP addresses. It is important to ensure that POAP receives a configuration from only a trusted DHCP server. Enabling DHCP snooping can allow POAP to be used in a more secure manner. DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers by performing the following activities: Validating DHCP messages received from untrusted sources and filtering out invalid messages Building and maintaining a DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses Using the DHCP snooping binding database to validate subsequent requests from untrusted hosts In addition, network firewall rules can be configured to block unintended or malicious DHCP servers. For customers who do not want to use the POAP feature, Cisco recommends disabling POAP permanently on an NX-OS device. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20190306-info-poap Revision History o +---------+--------------------------+---------+--------+----------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+---------+--------+----------------+ | 1.0 | Initial public release. | - | Final | 2019-March-06 | +---------+--------------------------+---------+--------+----------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXIB+zWaOgq3Tt24GAQi9PxAAzTX6/2Vkzm1ziB8u05lqy9muH7HxLKOV DcHlX/qf2giuBdjBFWcJA/5/1IDPBi93umQylUMPdnN2K3YZYSQbjC6OEc9aznBF LenlipdO9b8M/cH13pRRiEl8tMbKCFR0t0rvLp45/Chf26nhjyCaCH+iNa/387sW tmlLP3RxHn3TbjH6FL4Ps3TMitG69jb2bGtVO8Y2AdHd7QlA9PBfb7HNIJRB0M4t 0HlRDNphDtvK6cj427mfZCYFrvxJBYeemdg2vOBek52AG0G0rpfXDts4vKBwpUdO Pk+NVgkF3/0J8t0RacGnfRfbIY671kFTzbBPjOASRYQDo48UNCCO9H3yNLTFfkBf vwdYkO/MLaLTDtu7v0SZVf+N/Dk5nevFU/Mf/x6G2A9UYnvitVhRhY8OsX+oKvAp 4UyCha5y0BJAe5mF+aOS85e5SEGSUAdRyEcKZT5V28Etpxbg+JRbA7/deIXR4bW+ dSmXIFm5OR1rvIp9xgX6a+8JTbahfq2xtCyKjPqGvI+xu8ZP8DYSdNUFLifVF5WO DSOc1o+30W1b0cU8DwqFoLwd06R01jFQdnjftPend7qS+xIlfhmy5WVI/hGVYqy5 mECtWnHU1Pr8XwNuonwwi39k+tX/3lSxRDxn8PL0QsIhImaFThLMGDR/kZ/YHRYq U3afiYiL+18= =Hnse -----END PGP SIGNATURE-----