Cisco released security updates to address over two dozen serious vulnerabilities affecting the Cisco Nexus switches.

Cisco released security updates to address over two dozen serious vulnerabilities affecting the Cisco Nexus switches, including denial-of-service (DoS) issues, arbitrary code execution and privilege escalation flaws.

Cisco published security advisories for most of the vulnerabilities, many of them impact the NX-OS software running on the Nexus switches and on other Cisco devices.

The “high severity” flaws affects the several components, including the Tetration Analytics agent, the LDAP feature, the Image Signature Verification feature, the user account management interface, the command-line interface (CLI), the Bash shell implementation, the FCoE NPV protocol implementation, the file system component, the network stack, the Fabric Services component, the NX-API feature, and the 802.1X implementation.

ome of the flaws could be exploited by a remote, authenticated attacker to execute code to cause a DoS condition on the vulnerable devices.

Many of the vulnerabilities allow local, authenticated attackers to execute arbitrary code as root, elevate privileges, install malware, gain read and write access to an important configuration file, or escape a restricted shell on the device.

Cisco also published an advisory to recommend Cisco Nexus users to secure networks where the PowerOn Auto Provisioning (POAP) feature is enabled or disable the feature.

Cisco Nexus devices support by default the automatic provisioning or zero-touch deployment feature PowerOn Auto Provisioning (POAP), a feature assisting users in automating the initial deployment and configuration of Nexus switches.

“POAP is enabled by default and activates on devices that have no startup configuration or when Perpetual POAP has been configured using the boot poap enable command.” reads the advisory.

“To disable POAP permanently, even when there is no configuration on the system, customers can use the CLI command system no poap . This command ensures that POAP is not started during the next boot, even if there is no configuration.”

Pierluigi Paganini