Information
iPXE allows a NX-OS device to boot from the network, usually using HTTP.
This method allows the switch bootup image to be controlled centrally, often using DHCP services.
Solution
Setting the boot order explicity to "bootflash" will remediate a PXE configured device.
switch(config)# boot order bootflash
You can also "no" the current boot order line to revert to the default setting. For instance, to remove the configuration line "boot order pxe bootflash" command, use
switch(config)# no boot order pxe bootflash
Impact:
The risks of using this boot method are obvious. First, DHCP is a broadcast request, so any host (including a malicious host) can provide the DHCP response - the first response "wins". This means that a malicious actor can control operating system being booted on the switch.In addition, the HTTP protocol is clear-text, so is susceptible to modification in transit by an attacker. This is a less likely attack however, as the NX-OS boot sequence has multiple checks in place to verify the validity of the OS, and all most succeed for the boot sequence to proceed.
Item Details
Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT
References: 800-53|AC-18, 800-53|AC-18(1), 800-53|AC-18(3), 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, CSCv7|11.1, CSCv7|11.3
Control ID: 274e51c715b9c9c9d5c7bd136bb1740467e07eb044fdbf800d77f755e73b8acc