1.7.2 Disable iPXE (Pre-boot eXecution Environment)

Information

iPXE allows a NX-OS device to boot from the network, usually using HTTP.

This method allows the switch bootup image to be controlled centrally, often using DHCP services.

Solution

Setting the boot order explicity to "bootflash" will remediate a PXE configured device.

switch(config)# boot order bootflash

You can also "no" the current boot order line to revert to the default setting. For instance, to remove the configuration line "boot order pxe bootflash" command, use

switch(config)# no boot order pxe bootflash

Impact:

The risks of using this boot method are obvious. First, DHCP is a broadcast request, so any host (including a malicious host) can provide the DHCP response - the first response "wins". This means that a malicious actor can control operating system being booted on the switch.In addition, the HTTP protocol is clear-text, so is susceptible to modification in transit by an attacker. This is a less likely attack however, as the NX-OS boot sequence has multiple checks in place to verify the validity of the OS, and all most succeed for the boot sequence to proceed.

See Also

https://workbench.cisecurity.org/benchmarks/16139