Cisco this week patched over two dozen serious vulnerabilities affecting its Nexus switches, including flaws that can be exploited for denial-of-service (DoS) attacks, arbitrary code execution, and privilege escalation.
Separate advisories have been published by the networking giant for nearly each of the flaws, many of which impact the NX-OS software powering Nexus switches and a few other Cisco devices.
The security holes, described as “high severity” issues, impact components such as the Tetration Analytics agent, the LDAP feature, the Image Signature Verification feature, the user account management interface, the command-line interface (CLI), the Bash shell implementation, the FCoE NPV protocol implementation, the file system component, the network stack, the Fabric Services component, the NX-API feature, and the 802.1X implementation.
Many of the flaws allow local, authenticated attackers to execute arbitrary code as root, install malicious software images, elevate privileges, gain read and write access to an important configuration file, or escape a restricted shell on the device.
The few vulnerabilities that can be exploited remotely without authentication allow attackers to cause a DoS condition on affected devices. One flaw can be exploited remotely for executing arbitrary commands with root privileges by sending malicious HTTP/HTTPS packets to the management interface of an affected system, but the attacker needs to be authenticated.
Cisco discovered most of these vulnerabilities itself and the company says there is no evidence of malicious exploitation.
The company has also published an informational advisory that urges Nexus device owners to secure networks where the PowerOn Auto Provisioning (POAP) feature is used or simply disable the feature.
POAP, which is enabled by default, is designed to help organizations automate the initial deployment and configuration of Nexus switches. While the initial POAP implementation did not include options for disabling the feature, Cisco has now added several CLI commands to disable POAP.
“POAP accepts a configuration script from the first DHCP server to respond, and there is no mechanism to establish trust with the DHCP server. An attacker who is able to send a DHCP response could provide a malicious configuration to a device, which could allow the attacker to run commands at the administrator privilege level,” Cisco warned.
Last year, Cisco issued a similar warning about the Smart Install Client, a legacy utility that allows no-touch installation of new Cisco switches. Days later, reports emerged of attacks apparently exploiting the feature.
Cisco also warned earlier this month that a remote command execution flaw patched in February in some of its RV routers has been targeted by hackers.