Cisco security updates fix dozens of flaws in Nexus Switches

Cisco released security updates to address over two dozen serious vulnerabilities affecting the Cisco Nexus switches.

Cisco released security updates to address over two dozen serious vulnerabilities affecting the Cisco Nexus switches, including denial-of-service (DoS) issues, arbitrary code execution and privilege escalation flaws.

Cisco published security advisories for most of the vulnerabilities, many of them impact the NX-OS software running on the Nexus switches and on other Cisco devices.

The “high severity” flaws affects the several components, including the Tetration Analytics agent, the LDAP feature, the Image Signature Verification feature, the user account management interface, the command-line interface (CLI), the Bash shell implementation, the FCoE NPV protocol implementation, the file system component, the network stack, the Fabric Services component, the NX-API feature, and the 802.1X implementation.

ome of the flaws could be exploited by a remote, authenticated attacker to execute code to cause a DoS condition on the vulnerable devices.

Many of the vulnerabilities allow local, authenticated attackers to execute arbitrary code as root, elevate privileges, install malware, gain read and write access to an important configuration file, or escape a restricted shell on the device.

Cisco also published an advisory to recommend Cisco Nexus users to secure networks where the PowerOn Auto Provisioning (POAP) feature is enabled or disable the feature.

Cisco Nexus devices support by default the automatic provisioning or zero-touch deployment feature PowerOn Auto Provisioning (POAP), a feature assisting users in automating the initial deployment and configuration of Nexus switches.

“POAP is enabled by default and activates on devices that have no startup configuration or when Perpetual POAP has been configured using the boot poap enable command.” reads the advisory.

“To disable POAP permanently, even when there is no configuration on the system, customers can use the CLI command system no poap. This command ensures that POAP is not started during the next boot, even if there is no configuration.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cisco Nexus, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.