In a security alert published today, Cisco has advised owners of Nexus switches to disable a feature called PowerOn Auto Provisioning (POAP) for security reasons.
POAP is currently enabled by default in NX-OS, the operating system running on Nexus –Cisco’s line of data center and traffic-heavy switches.
POAP is an automatic provisioning and zero-touch deployment feature that assists device owners in the initial deployment and configuration of Nexus switches.
The feature works by checking for a local configuration script. If the script has been deleted, the switch has been reset to factory settings, or this is the first boot-up, the POAP daemon will connect to a preset list of servers to download an initial configuration file.
To perform this operation, the switch must first obtain an IP address from a local DHCP server. POAP configuration settings can also be passed through the DHCP response.
This is where the problem lies, according to Cisco. The company says that the POAP feature on Nexus devices will accept the first DHCP response it receives.
An attacker present on the local network can send malformed DHCP responses to Nexus switches to hijack their POAP settings and trick switches into downloading and executing configuration scripts from an attacker’s servers.
This “bug” doesn’t allow hackers to take over devices by direct exploitation, but it can be immensely helpful for attackers who’ve already compromised a system on an internal network and would like to escalate their access to other devices.
Because of this, Cisco is now recommending that Nexus owners disable the POAP feature if they’re not using it.
The company has released NX-OS updates for all Nexus models that include a new terminal command to disable the feature. Details on how to use the new terminal command, along with a list of affected Nexus models are included in Cisco’s security alert.
The alert is eerily similar to the one the company issued about another automatic provisioning feature last year. Back in March 2018, Cisco told customers to disable the antiquated Smart Install feature because attackers could abuse it to take over devices. The feature did come under active exploitation a month later, in April 2018, being abused by both hacktivists and nation-state hacking groups.
Cisco also releases 30 other security fixes
Besides the POAP-related security alert, Cisco today also released patches for 30 vulnerabilities, seven of which can allow attackers to execute code with root-level privileges.
None of the fixed vulnerabilities were exploited by attackers in the wild, according to Cisco’s security team.
Last but not least, the networking giant also warned device owners of a new wave of attacks targeting CVE-2018-0296, a vulnerability impacting Cisco ASA routers that the company patched last June.
After the first wave of attacks last year, hackers are back at targeting ASA devices through CVE-2018-0296 again. Reasons for the new attacks might be a new proof-of-concept script that was published on GitHub last fall and updated last month.