Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0714
Action Recommended to Secure the Cisco Nexus PowerOn Auto
Provisioning Feature
7 March 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Nexus
Cisco MDS
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Mitigation
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190306-info-poap
- --------------------------BEGIN INCLUDED TEXT--------------------
Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature
Priority: Informational
Advisory ID: cisco-sa-20190306-info-poap
First Published: 2019 March 6 16:00 GMT
Version 1.0: Final
Workarounds: No workarounds available
Summary
o Cisco Nexus devices support an automatic provisioning or zero-touch
deployment feature called PowerOn Auto Provisioning (POAP). This feature
assists in automating the initial deployment and configuration of Nexus
switches. POAP is enabled by default and activates on devices that have no
startup configuration or when Perpetual POAP has been configured using the
boot poap enable command.
As with other automatic provisioning technologies, such as Cisco Zero-Touch
Provisioning or Cisco Smart Install, some basic assumptions are made about
the initial deployment environment. First, that administrators know that
the feature exists and is enabled by default. Second, that the Layer 2 (L2)
network on which a device initially connects is secure.
By design, the POAP feature leverages several unauthenticated protocols to
obtain the initial configuration file for a device. When a device with POAP
boots and subsequently fails to locate a startup configuration, such as on
the first startup after unboxing or after a restoration of factory
defaults, the device enters POAP mode. The device will attempt to locate a
DHCP server through a connected management interface ^ 1 . Then the switch
will listen for a DHCP response that includes at a minimum the following:
An IP address
A default gateway
Option 66 (TFTP server name) or Option 150 (TFTP server address)
Option 67 (boot file name)
If the Nexus device receives multiple DHCP responses that meet these
requirements, the first DHCP response received will be accepted, and POAP
will move to the next stage of the device configuration. If no DHCP
responses that meet these requirements are received prior to the timeout
period, the device will exit POAP mode.
If a DHCP response is accepted, the Nexus device will attempt to connect to
the provided TFTP server to retrieve the Python or Tool Command Language
(Tcl) POAP configuration script specified within the boot file option. The
switch will then execute the script to retrieve the specified software and
device configuration. The Nexus device software and configuration may be
retrieved using Secure Copy Protocol (SCP), FTP, or SFTP. The downloaded
Nexus software will be assigned as the active image, with the configuration
file scheduled to be applied when the device restarts.
Several steps in the POAP configuration process rely on a secure network
segment to obtain critical startup information. While the POAP feature
disables itself after a configuration is applied to a device ^ 2 , it is
critical that customers properly secure the networks in which POAP may be
utilized. Some customers may want to disable the POAP feature and use other
methods to configure a Nexus device out of the box. To this end, Cisco has
added multiple new commands to disable POAP that will persist across a
reset to factory defaults and the removal of a configuration. For
guidelines on securing a POAP environment, as well as information about
disabling the feature, see the Details and Recommendations sections.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190306-info-poap
^ 1 On some Nexus chassis-based devices, the DHCP solicitation may also be
sent using all front-panel Ethernet interfaces of the installed router
processor.
^ 2 The POAP feature will not be disabled if Perpetual POAP has been
configured using the boot poap enable command and will run on each reload
of the device.
Affected Products
o Vulnerable Products
The following Cisco NX-OS platforms support the POAP feature:
MDS 9000 Series Multilayer Switches
Nexus 2000 Series Fabric Extenders
Nexus 3000 Series Switches
Nexus 3500 Platform Switches
Nexus 3600 Platform Switches
Nexus 5500 Platform Switches
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 7000 Series Switches
Nexus 7700 Series Switches
Nexus 9000 Series Switches in standalone NX-OS mode
Nexus 9500 R-Series Line Cards and Fabric Modules
Products Confirmed Not Vulnerable
The following Cisco NX-OS platforms do not support the POAP feature:
Nexus 1000V Switch for Microsoft Hyper-V
Nexus 1000V Switch for VMware vSphere
Nexus 9000 Series Fabric Switches in Application Centric Infrastructure
(ACI) mode
Details
o Why NX-OS Devices Running POAP Should Be Secured
POAP accepts a configuration script from the first DHCP server to respond,
and there is no mechanism to establish trust with the DHCP server. An
attacker who is able to send a DHCP response could provide a malicious
configuration to a device, which could allow the attacker to run commands
at the administrator privilege level.
The initial POAP implementation did not include an option to disable the
feature, even for customers who did not require POAP. Also, when the CLI
command write erase was issued to reset a unit to factory defaults, a
customer might not have realized that POAP would run again.
POAP is enabled when there is no configuration on the system, and it runs
as a part of bootup. However, customers can bypass POAP enablement during
initial setup. Cisco recommends that customers who do not want to use the
POAP feature disable POAP permanently on an NX-OS device.
Disabling the POAP Feature Permanently
The following CLI command options have been added to further secure and
provide the current status of the POAP feature:
switch# system no poap
switch# show system poap
System-wide POAP is disabled using exec command 'system no poap'
POAP will be bypassed on write-erase reload.
To disable POAP permanently, even when there is no configuration on the
system, customers can use the CLI command system no poap . This command
ensures that POAP is not started during the next boot, even if there is no
configuration. The commands system [no] poap and show system poap were
first added in the following NX-OS Software releases:
Cisco NX-OS Software Platform First Release with New POAP
Commands
MDS 9000 Series Multilayer Switches 6.2(27) ^1
Nexus 2000 Series Switches
Nexus 5500 Platform Switches 7.3(5)N1(1)
Nexus 5600 Platform Switches
Nexus 6000 Series Switches
Nexus 3000 Series Switches 9.2(2), 7.0(3)I7(6)
Nexus 3500 Platform Switches 9.2(2), 7.0(3)I7(6), 7.0(3)I4(9),
6.0(2)A8(11)
Nexus 3600 Platform Switches
Nexus 9500 R-Series Line Cards and 9.2(2), 7.0(3)F3(5)
Fabric Modules
Nexus 7000 Series Switches 8.3(2), 7.3(3)D1(1), 6.2(22)
Nexus 7700 Series Switches
Nexus 9000 Series Switches in 9.2(2), 7.0(3)I7(6), 7.0(3)I4(9)
standalone NX-OS mode
^ 1 The MDS Software Release 6.2(27) is targeted for late March 2019.
For additional information on utilizing the POAP feature and for the CLI
commands to enable POAP, customers can refer to the Using PowerOn Auto
Provisioning chapter of the Cisco NX-OS Fundamentals Configuration Guide .
Recommendations
o The POAP feature uses DHCP to locate a DHCP server and apply the given
interface IP address, gateway, and DNS server IP addresses. It is important
to ensure that POAP receives a configuration from only a trusted DHCP
server.
Enabling DHCP snooping can allow POAP to be used in a more secure manner.
DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP
servers by performing the following activities:
Validating DHCP messages received from untrusted sources and filtering
out invalid messages
Building and maintaining a DHCP snooping binding database, which
contains information about untrusted hosts with leased IP addresses
Using the DHCP snooping binding database to validate subsequent
requests from untrusted hosts
In addition, network firewall rules can be configured to block unintended
or malicious DHCP servers.
For customers who do not want to use the POAP feature, Cisco recommends
disabling POAP permanently on an NX-OS device.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20190306-info-poap
Revision History
o +---------+--------------------------+---------+--------+----------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+---------+--------+----------------+
| 1.0 | Initial public release. | - | Final | 2019-March-06 |
+---------+--------------------------+---------+--------+----------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXIB+zWaOgq3Tt24GAQi9PxAAzTX6/2Vkzm1ziB8u05lqy9muH7HxLKOV
DcHlX/qf2giuBdjBFWcJA/5/1IDPBi93umQylUMPdnN2K3YZYSQbjC6OEc9aznBF
LenlipdO9b8M/cH13pRRiEl8tMbKCFR0t0rvLp45/Chf26nhjyCaCH+iNa/387sW
tmlLP3RxHn3TbjH6FL4Ps3TMitG69jb2bGtVO8Y2AdHd7QlA9PBfb7HNIJRB0M4t
0HlRDNphDtvK6cj427mfZCYFrvxJBYeemdg2vOBek52AG0G0rpfXDts4vKBwpUdO
Pk+NVgkF3/0J8t0RacGnfRfbIY671kFTzbBPjOASRYQDo48UNCCO9H3yNLTFfkBf
vwdYkO/MLaLTDtu7v0SZVf+N/Dk5nevFU/Mf/x6G2A9UYnvitVhRhY8OsX+oKvAp
4UyCha5y0BJAe5mF+aOS85e5SEGSUAdRyEcKZT5V28Etpxbg+JRbA7/deIXR4bW+
dSmXIFm5OR1rvIp9xgX6a+8JTbahfq2xtCyKjPqGvI+xu8ZP8DYSdNUFLifVF5WO
DSOc1o+30W1b0cU8DwqFoLwd06R01jFQdnjftPend7qS+xIlfhmy5WVI/hGVYqy5
mECtWnHU1Pr8XwNuonwwi39k+tX/3lSxRDxn8PL0QsIhImaFThLMGDR/kZ/YHRYq
U3afiYiL+18=
=Hnse
-----END PGP SIGNATURE-----