Title

The Cisco ACI must be configured to disable the auxiliary USB port. (Cat II impact)

Discussion

Disable the USB port in those environments where physical access to the devices is not strictly controlled, or in environments where this extra layer of protection is required. Cisco Nexus 9000 switches running Cisco ACI code have the USB port enabled by default. When the USB port is enabled, switches will try to boot from the USB drive first. This may be a security risk in case a malicious actor has physical access to the switch, given they could power-cycle the device to try to boot the switch from a USB image that contains malicious code. Even if this is not a common scenario considering that most organizations have physical access security guidelines in place, Cisco ACI release 5.2(3) introduced the option to disable the USB port using a specific switch policy.

Check Content

Verify the USB port is disabled: 1. Navigate to Fabric >> Access Policies >> Policies >> Switch >> USB Configuration >> default. 2. Verify the "Disable USB Port" box is checked. If the USB port is not disabled, this is a finding.

Fix Text

Disable the USB port on all switches within the Cisco ACI fabric: 1. Navigate to Fabric >> Access Policies >> Policies >> Switch >> USB Configuration >> default. 2. Check the "Disable USB Port" box; this will disable the USB port on all switches within the Cisco ACI fabric.

Additional Identifiers

Rule ID: SV-271972r1067449_rule

Vulnerability ID: V-271972

Group Title: SRG-APP-000142-NDM-000245

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.